# Flog Txt Version 1 # Analyzer Version: 2.3.0 # Analyzer Build Date: Apr 12 2018 14:32:59 # Log Creation Date: 16.05.2018 15:35:54.486 Process: id = "1" image_name = "3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" filename = "c:\\users\\5jghkoaofdp\\desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" page_root = "0x9555000" os_pid = "0xa80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5JgHKoaOfdp\\Desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe\" " cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0xa50000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 2 start_va = 0xa70000 end_va = 0xa71fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 3 start_va = 0xa80000 end_va = 0xa8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 4 start_va = 0xa90000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 5 start_va = 0xad0000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 6 start_va = 0x1080000 end_va = 0x1087fff entry_point = 0x1080000 region_type = mapped_file name = "3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" filename = "\\Users\\5JgHKoaOfdp\\Desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe") Region: id = 7 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8 start_va = 0x7ee60000 end_va = 0x7ee82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee60000" filename = "" Region: id = 9 start_va = 0x7ee84000 end_va = 0x7ee84fff entry_point = 0x0 region_type = private name = "private_0x000000007ee84000" filename = "" Region: id = 10 start_va = 0x7ee85000 end_va = 0x7ee85fff entry_point = 0x0 region_type = private name = "private_0x000000007ee85000" filename = "" Region: id = 11 start_va = 0x7ee8d000 end_va = 0x7ee8ffff entry_point = 0x0 region_type = private name = "private_0x000000007ee8d000" filename = "" Region: id = 12 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 14 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 152 start_va = 0xbd0000 end_va = 0xbd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 153 start_va = 0xbe0000 end_va = 0xbe1fff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 154 start_va = 0xc80000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 155 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 156 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 157 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 158 start_va = 0xd50000 end_va = 0xe4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 159 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 160 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 161 start_va = 0xa50000 end_va = 0xa5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 162 start_va = 0xbf0000 end_va = 0xc6dfff entry_point = 0xbf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 163 start_va = 0x749c0000 end_va = 0x74a58fff entry_point = 0x749c0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 164 start_va = 0x7ed60000 end_va = 0x7ee5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed60000" filename = "" Region: id = 165 start_va = 0xa60000 end_va = 0xa63fff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 166 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 167 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 168 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 169 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 170 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 171 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 172 start_va = 0x751a0000 end_va = 0x7531efff entry_point = 0x751a0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 173 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 174 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 175 start_va = 0x75a50000 end_va = 0x76bfcfff entry_point = 0x75a50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 176 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 177 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 178 start_va = 0x76eb0000 end_va = 0x76ebdfff entry_point = 0x76eb0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 179 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 180 start_va = 0xd40000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 181 start_va = 0xe50000 end_va = 0xfd7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 182 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 183 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 184 start_va = 0xa70000 end_va = 0xa70fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 185 start_va = 0xc70000 end_va = 0xc70fff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 186 start_va = 0x1090000 end_va = 0x1210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 187 start_va = 0x1220000 end_va = 0x261ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 188 start_va = 0x74890000 end_va = 0x748b4fff entry_point = 0x74890000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 189 start_va = 0x74810000 end_va = 0x74885fff entry_point = 0x74810000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 190 start_va = 0x2620000 end_va = 0x28f4fff entry_point = 0x2620000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 191 start_va = 0xc90000 end_va = 0xc90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 192 start_va = 0x74800000 end_va = 0x74808fff entry_point = 0x74800000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 193 start_va = 0x748e0000 end_va = 0x749bafff entry_point = 0x748e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 194 start_va = 0x2900000 end_va = 0x2a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 195 start_va = 0xca0000 end_va = 0xca0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 196 start_va = 0x2900000 end_va = 0x29f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 197 start_va = 0x2a40000 end_va = 0x2a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 198 start_va = 0xca0000 end_va = 0xca3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 199 start_va = 0xcb0000 end_va = 0xcb3fff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 200 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 201 start_va = 0xfe0000 end_va = 0x1066fff entry_point = 0xfe0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 202 start_va = 0x746d0000 end_va = 0x747f2fff entry_point = 0x746d0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 203 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 204 start_va = 0xcc0000 end_va = 0xcc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 205 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 206 start_va = 0xcd0000 end_va = 0xcd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 207 start_va = 0xce0000 end_va = 0xce3fff entry_point = 0xce0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 208 start_va = 0xcf0000 end_va = 0xd2efff entry_point = 0xcf0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db") Region: id = 209 start_va = 0xd30000 end_va = 0xd33fff entry_point = 0xd30000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 210 start_va = 0xfe0000 end_va = 0x1062fff entry_point = 0xfe0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 211 start_va = 0x1070000 end_va = 0x1072fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001070000" filename = "" Region: id = 212 start_va = 0x2a00000 end_va = 0x2a00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a00000" filename = "" Region: id = 213 start_va = 0x2a50000 end_va = 0x2e4bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a50000" filename = "" Region: id = 214 start_va = 0x2a10000 end_va = 0x2a13fff entry_point = 0x2a10000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 215 start_va = 0x2a20000 end_va = 0x2a39fff entry_point = 0x2a20000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000028.db" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db") Region: id = 216 start_va = 0x2e50000 end_va = 0x2e50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e50000" filename = "" Region: id = 217 start_va = 0x746c0000 end_va = 0x746cdfff entry_point = 0x746c0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 218 start_va = 0x74590000 end_va = 0x746b1fff entry_point = 0x74590000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 219 start_va = 0x74370000 end_va = 0x74588fff entry_point = 0x74370000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 220 start_va = 0x741b0000 end_va = 0x7436cfff entry_point = 0x741b0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 221 start_va = 0x74190000 end_va = 0x741a8fff entry_point = 0x74190000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 222 start_va = 0x74180000 end_va = 0x74188fff entry_point = 0x74180000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 223 start_va = 0x2a10000 end_va = 0x2a10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a10000" filename = "" Region: id = 224 start_va = 0x2e60000 end_va = 0x2e60fff entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 225 start_va = 0x2e60000 end_va = 0x2e60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e60000" filename = "" Region: id = 226 start_va = 0x74160000 end_va = 0x74177fff entry_point = 0x74160000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 227 start_va = 0x74130000 end_va = 0x7415efff entry_point = 0x74130000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 228 start_va = 0x74110000 end_va = 0x7412cfff entry_point = 0x74110000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 229 start_va = 0x2e70000 end_va = 0x2eaffff entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 230 start_va = 0x2eb0000 end_va = 0x2faffff entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 231 start_va = 0x2fb0000 end_va = 0x2feffff entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 232 start_va = 0x2ff0000 end_va = 0x30effff entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 233 start_va = 0x30f0000 end_va = 0x312ffff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 234 start_va = 0x3130000 end_va = 0x322ffff entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 235 start_va = 0x7ed5d000 end_va = 0x7ed5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ed5d000" filename = "" Region: id = 236 start_va = 0x7ee87000 end_va = 0x7ee89fff entry_point = 0x0 region_type = private name = "private_0x000000007ee87000" filename = "" Region: id = 237 start_va = 0x7ee8a000 end_va = 0x7ee8cfff entry_point = 0x0 region_type = private name = "private_0x000000007ee8a000" filename = "" Region: id = 238 start_va = 0x3230000 end_va = 0x326ffff entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 239 start_va = 0x3270000 end_va = 0x336ffff entry_point = 0x0 region_type = private name = "private_0x0000000003270000" filename = "" Region: id = 240 start_va = 0x7ed5a000 end_va = 0x7ed5cfff entry_point = 0x0 region_type = private name = "private_0x000000007ed5a000" filename = "" Region: id = 241 start_va = 0x74f30000 end_va = 0x74f69fff entry_point = 0x74f30000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 242 start_va = 0x75780000 end_va = 0x7592cfff entry_point = 0x75780000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 243 start_va = 0x3370000 end_va = 0x3377fff entry_point = 0x3370000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe") Region: id = 244 start_va = 0x3380000 end_va = 0x3726fff entry_point = 0x3380000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 260 start_va = 0x3370000 end_va = 0x33affff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 261 start_va = 0x33b0000 end_va = 0x34affff entry_point = 0x0 region_type = private name = "private_0x00000000033b0000" filename = "" Region: id = 262 start_va = 0x7ed57000 end_va = 0x7ed59fff entry_point = 0x0 region_type = private name = "private_0x000000007ed57000" filename = "" Region: id = 263 start_va = 0x34b0000 end_va = 0x3856fff entry_point = 0x34b0000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Thread: id = 1 os_tid = 0xa68 [0040.088] GetCurrentProcess () returned 0xffffffff [0040.088] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xbcf82c | out: TokenHandle=0xbcf82c*=0xe8) returned 1 [0040.089] GetTokenInformation (in: TokenHandle=0xe8, TokenInformationClass=0x14, TokenInformation=0xbcf824, TokenInformationLength=0x4, ReturnLength=0xbcf828 | out: TokenInformation=0xbcf824, ReturnLength=0xbcf828) returned 1 [0040.089] CloseHandle (hObject=0xe8) returned 1 [0040.089] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1085fe0, nSize=0x104 | out: lpFilename="C:\\Users\\5JgHKoaOfdp\\Desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe")) returned 0x61 [0040.089] GetWindowsDirectoryW (in: lpBuffer=0x1086420, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0040.090] GetWindowsDirectoryW (in: lpBuffer=0x1086200, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0040.090] CopyFileW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe"), lpNewFileName="C:\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe"), bFailIfExists=0) returned 1 [0040.252] SetFileAttributesW (lpFileName="C:\\Windows\\svchost.exe", dwFileAttributes=0x6) returned 1 [0040.253] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", ulOptions=0x0, samDesired=0x102, phkResult=0x108662c | out: phkResult=0x108662c*=0xe8) returned 0x0 [0040.253] RegSetValueExW (in: hKey=0xe8, lpValueName="Shell", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\explorer.exe, C:\\Windows\\svchost.exe", cbData=0x208 | out: lpData="C:\\Windows\\explorer.exe, C:\\Windows\\svchost.exe") returned 0x0 [0040.253] RegCloseKey (hKey=0xe8) returned 0x0 [0040.253] DeleteFileW (lpFileName="C:\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe")) returned 1 [0040.254] CopyFileW (lpExistingFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a.exe"), lpNewFileName="C:\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe"), bFailIfExists=0) returned 1 [0040.256] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Windows\\svchost.exe", lpParameters=0x0, lpDirectory=0x0, nShowCmd=0) returned 0x2a [0046.333] Sleep (dwMilliseconds=0x3e8) [0048.644] GetCurrentProcess () returned 0xffffffff [0048.644] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xbcf82c | out: TokenHandle=0xbcf82c*=0x290) returned 1 [0048.644] GetTokenInformation (in: TokenHandle=0x290, TokenInformationClass=0x14, TokenInformation=0xbcf828, TokenInformationLength=0x4, ReturnLength=0xbcf824 | out: TokenInformation=0xbcf828, ReturnLength=0xbcf824) returned 1 [0048.644] CloseHandle (hObject=0x290) returned 1 [0048.644] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="䩈㹇䨼䙫套杉極桯瑧㤸㜵朳橵畨㝹常⠪⠦♞⑞") returned 0x290 [0048.644] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x2d8 Thread: id = 3 os_tid = 0x364 Thread: id = 4 os_tid = 0xabc Thread: id = 5 os_tid = 0xac0 Thread: id = 7 os_tid = 0xaa4 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\svchost.exe" page_root = "0xc676000" os_pid = "0xac4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa80" cmd_line = "\"C:\\Windows\\svchost.exe\" " cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 245 start_va = 0x30000 end_va = 0x4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 246 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 247 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 248 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 249 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 250 start_va = 0xfb0000 end_va = 0xfb7fff entry_point = 0xfb0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe") Region: id = 251 start_va = 0x770a0000 end_va = 0x77207fff entry_point = 0x770a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 252 start_va = 0x7f240000 end_va = 0x7f262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f240000" filename = "" Region: id = 253 start_va = 0x7f264000 end_va = 0x7f264fff entry_point = 0x0 region_type = private name = "private_0x000000007f264000" filename = "" Region: id = 254 start_va = 0x7f26c000 end_va = 0x7f26efff entry_point = 0x0 region_type = private name = "private_0x000000007f26c000" filename = "" Region: id = 255 start_va = 0x7f26f000 end_va = 0x7f26ffff entry_point = 0x0 region_type = private name = "private_0x000000007f26f000" filename = "" Region: id = 256 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 257 start_va = 0x7fff0000 end_va = 0x7ffb1d6dffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 258 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 259 start_va = 0x7ffb1d88a000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb1d88a000" filename = "" Region: id = 264 start_va = 0x1b0000 end_va = 0x1b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 265 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 266 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 267 start_va = 0x76fd0000 end_va = 0x76fd8fff entry_point = 0x76fd0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 268 start_va = 0x76fe0000 end_va = 0x77047fff entry_point = 0x76fe0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 269 start_va = 0x77050000 end_va = 0x77098fff entry_point = 0x77050000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 270 start_va = 0x30000 end_va = 0x3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 271 start_va = 0x1d0000 end_va = 0x24dfff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 272 start_va = 0x490000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 273 start_va = 0x590000 end_va = 0x936fff entry_point = 0x590000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 274 start_va = 0x749c0000 end_va = 0x74a58fff entry_point = 0x749c0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 275 start_va = 0x74f70000 end_va = 0x750affff entry_point = 0x74f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 276 start_va = 0x75940000 end_va = 0x75a0efff entry_point = 0x75940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 277 start_va = 0x7f140000 end_va = 0x7f23ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f140000" filename = "" Region: id = 278 start_va = 0x40000 end_va = 0x43fff entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 279 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 280 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 281 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 282 start_va = 0x590000 end_va = 0x717fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 283 start_va = 0x720000 end_va = 0x8a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 284 start_va = 0xfc0000 end_va = 0x23bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 285 start_va = 0x74a60000 end_va = 0x74ab2fff entry_point = 0x74a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 286 start_va = 0x74ac0000 end_va = 0x74ac8fff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 287 start_va = 0x74ad0000 end_va = 0x74aecfff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 288 start_va = 0x74bc0000 end_va = 0x74d0dfff entry_point = 0x74bc0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 289 start_va = 0x74d10000 end_va = 0x74d87fff entry_point = 0x74d10000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 290 start_va = 0x74e20000 end_va = 0x74ed0fff entry_point = 0x74e20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 291 start_va = 0x751a0000 end_va = 0x7531efff entry_point = 0x751a0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 292 start_va = 0x75360000 end_va = 0x75456fff entry_point = 0x75360000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 293 start_va = 0x75460000 end_va = 0x755aefff entry_point = 0x75460000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 294 start_va = 0x75a10000 end_va = 0x75a4dfff entry_point = 0x75a10000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 295 start_va = 0x75a50000 end_va = 0x76bfcfff entry_point = 0x75a50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 296 start_va = 0x76d70000 end_va = 0x76db0fff entry_point = 0x76d70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 297 start_va = 0x76dc0000 end_va = 0x76de4fff entry_point = 0x76dc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 298 start_va = 0x76df0000 end_va = 0x76eadfff entry_point = 0x76df0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 299 start_va = 0x76eb0000 end_va = 0x76ebdfff entry_point = 0x76eb0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 300 start_va = 0x76ec0000 end_va = 0x76fc7fff entry_point = 0x76ec0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 301 start_va = 0x8b0000 end_va = 0xb84fff entry_point = 0x8b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 302 start_va = 0x74160000 end_va = 0x74177fff entry_point = 0x74160000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 303 start_va = 0x74130000 end_va = 0x7415efff entry_point = 0x74130000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 304 start_va = 0x74110000 end_va = 0x7412cfff entry_point = 0x74110000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 305 start_va = 0x260000 end_va = 0x263fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 306 start_va = 0x74810000 end_va = 0x74885fff entry_point = 0x74810000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 307 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 308 start_va = 0x74800000 end_va = 0x74808fff entry_point = 0x74800000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 309 start_va = 0x748e0000 end_va = 0x749bafff entry_point = 0x748e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 310 start_va = 0x330000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 311 start_va = 0x76c50000 end_va = 0x76d5bfff entry_point = 0x76c50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 312 start_va = 0x280000 end_va = 0x306fff entry_point = 0x280000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 313 start_va = 0x746d0000 end_va = 0x747f2fff entry_point = 0x746d0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 314 start_va = 0x74d90000 end_va = 0x74e16fff entry_point = 0x74d90000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 315 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 316 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 317 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 318 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 319 start_va = 0x7f269000 end_va = 0x7f26bfff entry_point = 0x0 region_type = private name = "private_0x000000007f269000" filename = "" Region: id = 320 start_va = 0x75700000 end_va = 0x7577cfff entry_point = 0x75700000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 321 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 322 start_va = 0x2e0000 end_va = 0x2e3fff entry_point = 0x2e0000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 323 start_va = 0x2f0000 end_va = 0x309fff entry_point = 0x2f0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db" filename = "\\Users\\5JgHKoaOfdp\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000028.db" (normalized: "c:\\users\\5jghkoaofdp\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db") Region: id = 324 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 325 start_va = 0x440000 end_va = 0x442fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 326 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 327 start_va = 0xb90000 end_va = 0xf8bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 328 start_va = 0x74f30000 end_va = 0x74f69fff entry_point = 0x74f30000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 329 start_va = 0x75780000 end_va = 0x7592cfff entry_point = 0x75780000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 330 start_va = 0x2e0000 end_va = 0x2e3fff entry_point = 0x2e0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 331 start_va = 0x23c0000 end_va = 0x23fefff entry_point = 0x23c0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db") Region: id = 332 start_va = 0x470000 end_va = 0x473fff entry_point = 0x470000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 333 start_va = 0x2400000 end_va = 0x2482fff entry_point = 0x2400000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 334 start_va = 0x746c0000 end_va = 0x746cdfff entry_point = 0x746c0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 335 start_va = 0x74590000 end_va = 0x746b1fff entry_point = 0x74590000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 336 start_va = 0x74370000 end_va = 0x74588fff entry_point = 0x74370000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 337 start_va = 0x741b0000 end_va = 0x7436cfff entry_point = 0x741b0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 338 start_va = 0x74190000 end_va = 0x741a8fff entry_point = 0x74190000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 339 start_va = 0x2490000 end_va = 0x24cffff entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 340 start_va = 0x24d0000 end_va = 0x25cffff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 341 start_va = 0x7f266000 end_va = 0x7f268fff entry_point = 0x0 region_type = private name = "private_0x000000007f266000" filename = "" Region: id = 342 start_va = 0x74180000 end_va = 0x74188fff entry_point = 0x74180000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 343 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 344 start_va = 0xf90000 end_va = 0xf90fff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 345 start_va = 0xf90000 end_va = 0xf90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 346 start_va = 0x25d0000 end_va = 0x260ffff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 347 start_va = 0x2610000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 348 start_va = 0x2710000 end_va = 0x274ffff entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 349 start_va = 0x2750000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 350 start_va = 0x2850000 end_va = 0x288ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 351 start_va = 0x2890000 end_va = 0x298ffff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 352 start_va = 0x7f137000 end_va = 0x7f139fff entry_point = 0x0 region_type = private name = "private_0x000000007f137000" filename = "" Region: id = 353 start_va = 0x7f13a000 end_va = 0x7f13cfff entry_point = 0x0 region_type = private name = "private_0x000000007f13a000" filename = "" Region: id = 354 start_va = 0x7f13d000 end_va = 0x7f13ffff entry_point = 0x0 region_type = private name = "private_0x000000007f13d000" filename = "" Region: id = 368 start_va = 0x2990000 end_va = 0x29cffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 369 start_va = 0x29d0000 end_va = 0x2acffff entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 370 start_va = 0x7f134000 end_va = 0x7f136fff entry_point = 0x0 region_type = private name = "private_0x000000007f134000" filename = "" Region: id = 422 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x2c0000 region_type = mapped_file name = "bootstat.dat" filename = "\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat") Region: id = 491 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "bootnxt" filename = "\\BOOTNXT" (normalized: "c:\\bootnxt") Region: id = 492 start_va = 0x2c0000 end_va = 0x2c3fff entry_point = 0x2c0000 region_type = mapped_file name = "msaddndr.olb" filename = "\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb") Region: id = 493 start_va = 0x2ad0000 end_va = 0x2c1efff entry_point = 0x2ad0000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll") Region: id = 494 start_va = 0x2ad0000 end_va = 0x2bc3fff entry_point = 0x2ad0000 region_type = mapped_file name = "dw20.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe") Region: id = 580 start_va = 0x2ad0000 end_va = 0x2b5ffff entry_point = 0x2ad0000 region_type = mapped_file name = "dwtrig20.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe") Region: id = 581 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x2c0000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 582 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "eqnedt32.cnt" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt") Region: id = 583 start_va = 0x2ad0000 end_va = 0x2b54fff entry_point = 0x2ad0000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 584 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "eqnedt32.exe.manifest" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest") Region: id = 585 start_va = 0x2ad0000 end_va = 0x2afbfff entry_point = 0x2ad0000 region_type = mapped_file name = "eqnedt32.hlp" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp") Region: id = 586 start_va = 0x2c0000 end_va = 0x2c1fff entry_point = 0x2c0000 region_type = mapped_file name = "mtextra.ttf" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf") Region: id = 587 start_va = 0x2c0000 end_va = 0x2c7fff entry_point = 0x2c0000 region_type = mapped_file name = "msoeuro.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll") Region: id = 588 start_va = 0x2c0000 end_va = 0x2c9fff entry_point = 0x2c0000 region_type = mapped_file name = "msgfilt.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll") Region: id = 589 start_va = 0x2ad0000 end_va = 0x2bbbfff entry_point = 0x2ad0000 region_type = mapped_file name = "odffilt.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll") Region: id = 658 start_va = 0x2ad0000 end_va = 0x2beffff entry_point = 0x2ad0000 region_type = mapped_file name = "offfiltx.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll") Region: id = 659 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "visfilt.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll") Region: id = 660 start_va = 0x2ad0000 end_va = 0x2b6efff entry_point = 0x2ad0000 region_type = mapped_file name = "epsimp32.flt" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt") Region: id = 661 start_va = 0x2ad0000 end_va = 0x2b0efff entry_point = 0x2ad0000 region_type = mapped_file name = "gifimp32.flt" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt") Region: id = 662 start_va = 0x2ad0000 end_va = 0x2b09fff entry_point = 0x2ad0000 region_type = mapped_file name = "jpegim32.flt" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt") Region: id = 663 start_va = 0x2c0000 end_va = 0x2c3fff entry_point = 0x2c0000 region_type = mapped_file name = "ms.eps" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps") Region: id = 664 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "ms.gif" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif") Region: id = 665 start_va = 0x2ad0000 end_va = 0x2ae2fff entry_point = 0x2ad0000 region_type = mapped_file name = "pictim32.flt" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt") Region: id = 666 start_va = 0x2ad0000 end_va = 0x2b13fff entry_point = 0x2ad0000 region_type = mapped_file name = "png32.flt" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt") Region: id = 667 start_va = 0x2ad0000 end_va = 0x2b11fff entry_point = 0x2ad0000 region_type = mapped_file name = "wpgimp32.flt" filename = "\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt") Region: id = 668 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "hx.hxc" filename = "\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxC" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxc") Region: id = 669 start_va = 0x2ad0000 end_va = 0x2bfdfff entry_point = 0x2ad0000 region_type = mapped_file name = "hxds.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll") Region: id = 670 start_va = 0x2c0000 end_va = 0x2c6fff entry_point = 0x2c0000 region_type = mapped_file name = "hxruntime.hxs" filename = "\\Program Files\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxruntime.hxs") Region: id = 671 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "itircl55.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\Help\\itircl55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll") Region: id = 672 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "keywords.hxk" filename = "\\Program Files\\Common Files\\microsoft shared\\Help\\Keywords.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\keywords.hxk") Region: id = 673 start_va = 0x2ad0000 end_va = 0x2b3cfff entry_point = 0x2ad0000 region_type = mapped_file name = "msitss55.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll") Region: id = 674 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "namedurls.hxk" filename = "\\Program Files\\Common Files\\microsoft shared\\Help\\NamedUrls.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\namedurls.hxk") Region: id = 675 start_va = 0x2ad0000 end_va = 0x2b46fff entry_point = 0x2ad0000 region_type = mapped_file name = "mscdm.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll") Region: id = 676 start_va = 0x2ad0000 end_va = 0x2b01fff entry_point = 0x2ad0000 region_type = mapped_file name = "aceintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceintl.dll") Region: id = 677 start_va = 0x2c0000 end_va = 0x2cdfff entry_point = 0x2c0000 region_type = mapped_file name = "aceodbci.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceodbci.dll") Region: id = 678 start_va = 0x2ad0000 end_va = 0x2ba1fff entry_point = 0x2ad0000 region_type = mapped_file name = "acewstr.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\acewstr.dll") Region: id = 679 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "ado210.chm" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\ado210.chm") Region: id = 680 start_va = 0x2ad0000 end_va = 0x2af5fff entry_point = 0x2ad0000 region_type = mapped_file name = "alrtintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\alrtintl.dll") Region: id = 681 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll") Region: id = 682 start_va = 0x2c0000 end_va = 0x2ccfff entry_point = 0x2c0000 region_type = mapped_file name = "msointl.dll.idx_dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll.idx_dll") Region: id = 683 start_va = 0x2ad0000 end_va = 0x2c3afff entry_point = 0x2ad0000 region_type = mapped_file name = "msointl.rest.idx_dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.rest.idx_dll") Region: id = 696 start_va = 0x2c0000 end_va = 0x2cafff entry_point = 0x2c0000 region_type = mapped_file name = "mssoapr3.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\mssoapr3.dll") Region: id = 707 start_va = 0x2c0000 end_va = 0x2c3fff entry_point = 0x2c0000 region_type = mapped_file name = "oarpmanr.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\oarpmanr.dll") Region: id = 708 start_va = 0x2ad0000 end_va = 0x2af0fff entry_point = 0x2ad0000 region_type = mapped_file name = "osfintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OSFINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osfintl.dll") Region: id = 709 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "osmdp32.msi" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp32.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp32.msi") Region: id = 725 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "readme.htm" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\readme.htm") Region: id = 726 start_va = 0x2ad0000 end_va = 0x2b10fff entry_point = 0x2ad0000 region_type = mapped_file name = "xlsrvintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\xlsrvintl.dll") Region: id = 727 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "acecore.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acecore.dll") Region: id = 728 start_va = 0x2ad0000 end_va = 0x2b66fff entry_point = 0x2ad0000 region_type = mapped_file name = "acedao.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acedao.dll") Region: id = 729 start_va = 0x2c0000 end_va = 0x2c9fff entry_point = 0x2c0000 region_type = mapped_file name = "aceerr.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceerr.dll") Region: id = 730 start_va = 0x2ad0000 end_va = 0x2ba6fff entry_point = 0x2ad0000 region_type = mapped_file name = "acees.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acees.dll") Region: id = 731 start_va = 0x2ad0000 end_va = 0x2b0cfff entry_point = 0x2ad0000 region_type = mapped_file name = "aceexch.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexch.dll") Region: id = 732 start_va = 0x2ad0000 end_va = 0x2b52fff entry_point = 0x2ad0000 region_type = mapped_file name = "aceexcl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexcl.dll") Region: id = 733 start_va = 0x2ad0000 end_va = 0x2b22fff entry_point = 0x2ad0000 region_type = mapped_file name = "aceodbc.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodbc.dll") Region: id = 734 start_va = 0x2c0000 end_va = 0x2c4fff entry_point = 0x2c0000 region_type = mapped_file name = "aceodexl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodexl.dll") Region: id = 735 start_va = 0x2ad0000 end_va = 0x2b3cfff entry_point = 0x2ad0000 region_type = mapped_file name = "aceoledb.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceoledb.dll") Region: id = 736 start_va = 0x2ad0000 end_va = 0x2b01fff entry_point = 0x2ad0000 region_type = mapped_file name = "acetxt.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acetxt.dll") Region: id = 737 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "acewdat.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewdat.dll") Region: id = 738 start_va = 0x2ad0000 end_va = 0x2b1cfff entry_point = 0x2ad0000 region_type = mapped_file name = "acewss.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewss.dll") Region: id = 739 start_va = 0x2ad0000 end_va = 0x2ba5fff entry_point = 0x2ad0000 region_type = mapped_file name = "adal.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll") Region: id = 740 start_va = 0x2ad0000 end_va = 0x2c4ffff entry_point = 0x2ad0000 region_type = mapped_file name = "cmigrate.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CMigrate.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cmigrate.exe") Region: id = 741 start_va = 0x2ad0000 end_va = 0x2aeafff entry_point = 0x2ad0000 region_type = mapped_file name = "csisyncclient.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CSISYNCCLIENT.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csisyncclient.exe") Region: id = 742 start_va = 0x2c0000 end_va = 0x2c4fff entry_point = 0x2c0000 region_type = mapped_file name = "as80.xsl" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as80.xsl") Region: id = 743 start_va = 0x2c0000 end_va = 0x2c7fff entry_point = 0x2c0000 region_type = mapped_file name = "db2v0801.xsl" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\db2v0801.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\db2v0801.xsl") Region: id = 744 start_va = 0x2c0000 end_va = 0x2c7fff entry_point = 0x2c0000 region_type = mapped_file name = "msjet.xsl" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\msjet.xsl") Region: id = 745 start_va = 0x2c0000 end_va = 0x2c8fff entry_point = 0x2c0000 region_type = mapped_file name = "orcl7.xsl" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\orcl7.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\orcl7.xsl") Region: id = 746 start_va = 0x2c0000 end_va = 0x2c7fff entry_point = 0x2c0000 region_type = mapped_file name = "sql70.xsl" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql70.xsl") Region: id = 747 start_va = 0x2ad0000 end_va = 0x2ae6fff entry_point = 0x2ad0000 region_type = mapped_file name = "sql90.xsl" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql90.xsl") Region: id = 748 start_va = 0x2ad0000 end_va = 0x2ae2fff entry_point = 0x2ad0000 region_type = mapped_file name = "sqlpdw.xsl" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sqlpdw.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sqlpdw.xsl") Thread: id = 6 os_tid = 0xac8 [0046.362] GetCurrentProcess () returned 0xffffffff [0046.363] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1afb60 | out: TokenHandle=0x1afb60*=0xe8) returned 1 [0046.363] GetTokenInformation (in: TokenHandle=0xe8, TokenInformationClass=0x14, TokenInformation=0x1afb58, TokenInformationLength=0x4, ReturnLength=0x1afb5c | out: TokenInformation=0x1afb58, ReturnLength=0x1afb5c) returned 1 [0046.363] CloseHandle (hObject=0xe8) returned 1 [0046.363] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xfb5fe0, nSize=0x104 | out: lpFilename="C:\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe")) returned 0x16 [0046.363] GetWindowsDirectoryW (in: lpBuffer=0xfb6420, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0046.364] GetWindowsDirectoryW (in: lpBuffer=0xfb6200, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0046.364] CopyFileW (lpExistingFileName="C:\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe"), lpNewFileName="C:\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe"), bFailIfExists=0) returned 0 [0046.365] SetFileAttributesW (lpFileName="C:\\Windows\\svchost.exe", dwFileAttributes=0x6) returned 1 [0046.365] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", ulOptions=0x0, samDesired=0x102, phkResult=0xfb662c | out: phkResult=0xfb662c*=0xe8) returned 0x0 [0046.366] RegSetValueExW (in: hKey=0xe8, lpValueName="Shell", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\explorer.exe, C:\\Windows\\svchost.exe", cbData=0x208 | out: lpData="C:\\Windows\\explorer.exe, C:\\Windows\\svchost.exe") returned 0x0 [0046.366] RegCloseKey (hKey=0xe8) returned 0x0 [0046.366] DeleteFileW (lpFileName="C:\\Windows\\svchost.exe" (normalized: "c:\\windows\\svchost.exe")) returned 0 [0046.366] GetCurrentProcess () returned 0xffffffff [0046.366] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1afb60 | out: TokenHandle=0x1afb60*=0xe8) returned 1 [0046.366] GetTokenInformation (in: TokenHandle=0xe8, TokenInformationClass=0x14, TokenInformation=0x1afb5c, TokenInformationLength=0x4, ReturnLength=0x1afb58 | out: TokenInformation=0x1afb5c, ReturnLength=0x1afb58) returned 1 [0046.366] CloseHandle (hObject=0xe8) returned 1 [0046.366] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="䩈㹇䨼䙫套杉極桯瑧㤸㜵朳橵畨㝹常⠪⠦♞⑞") returned 0x0 [0046.366] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="䩈㹇䨼䙫套杉極桯瑧㤸㜵朳橵畨㝹常⠪⠦♞⑞") returned 0xe8 [0046.366] ReleaseMutex (hMutex=0xe8) returned 0 [0046.366] rand () returned 41 [0046.366] srand (_Seed=0x1aebb0) [0046.366] rand () returned 27008 [0046.366] rand () returned 16409 [0046.366] rand () returned 545 [0046.366] rand () returned 12288 [0046.366] rand () returned 14891 [0046.366] rand () returned 20804 [0046.366] rand () returned 22619 [0046.366] rand () returned 22110 [0046.366] rand () returned 31028 [0046.366] rand () returned 30215 [0046.366] rand () returned 23484 [0046.366] rand () returned 12669 [0046.366] rand () returned 2380 [0046.366] rand () returned 28060 [0046.366] rand () returned 22691 [0046.366] rand () returned 32275 [0046.366] rand () returned 3811 [0046.366] rand () returned 31492 [0046.366] rand () returned 13599 [0046.367] rand () returned 15558 [0046.367] rand () returned 12188 [0046.367] rand () returned 30377 [0046.367] rand () returned 19458 [0046.367] rand () returned 28908 [0046.367] rand () returned 26111 [0046.367] rand () returned 9025 [0046.367] rand () returned 32311 [0046.367] rand () returned 15509 [0046.367] rand () returned 15727 [0046.367] rand () returned 18933 [0046.367] rand () returned 28245 [0046.367] rand () returned 32203 [0046.367] rand () returned 2651 [0046.367] rand () returned 25027 [0046.367] rand () returned 6771 [0046.367] rand () returned 20760 [0046.367] rand () returned 29368 [0046.367] rand () returned 17953 [0046.367] rand () returned 18495 [0046.367] rand () returned 7497 [0046.367] rand () returned 23214 [0046.367] rand () returned 16611 [0046.367] rand () returned 30538 [0046.367] rand () returned 3186 [0046.367] rand () returned 2449 [0046.367] rand () returned 27486 [0046.367] rand () returned 19878 [0046.367] rand () returned 5682 [0046.367] rand () returned 6932 [0046.367] rand () returned 10958 [0046.367] rand () returned 12979 [0046.367] rand () returned 32568 [0046.367] rand () returned 4281 [0046.367] rand () returned 19445 [0046.367] rand () returned 3126 [0046.367] rand () returned 29190 [0046.367] rand () returned 6028 [0046.367] rand () returned 517 [0046.367] rand () returned 20907 [0046.367] rand () returned 5365 [0046.367] rand () returned 22033 [0046.367] rand () returned 19648 [0046.367] rand () returned 27101 [0046.367] rand () returned 16762 [0046.367] rand () returned 22139 [0046.367] rand () returned 2526 [0046.367] rand () returned 1715 [0046.367] srand (_Seed=0x1b05d8) [0046.367] rand () returned 16106 [0046.367] rand () returned 29210 [0046.367] rand () returned 15837 [0046.367] rand () returned 19981 [0046.367] rand () returned 6337 [0046.367] rand () returned 1484 [0046.367] rand () returned 23143 [0046.367] rand () returned 16341 [0046.367] rand () returned 636 [0046.367] rand () returned 19362 [0046.367] rand () returned 16144 [0046.367] rand () returned 12693 [0046.367] rand () returned 1859 [0046.367] rand () returned 884 [0046.367] rand () returned 18531 [0046.367] rand () returned 31108 [0046.367] rand () returned 8453 [0046.367] rand () returned 2503 [0046.367] rand () returned 16864 [0046.368] rand () returned 20973 [0046.368] rand () returned 2666 [0046.368] rand () returned 12785 [0046.368] rand () returned 26515 [0046.368] rand () returned 9339 [0046.368] rand () returned 27914 [0046.368] rand () returned 2942 [0046.368] rand () returned 9708 [0046.368] rand () returned 6835 [0046.368] rand () returned 16348 [0046.368] rand () returned 5843 [0046.368] rand () returned 3018 [0046.368] rand () returned 6082 [0046.368] rand () returned 27121 [0046.368] rand () returned 11537 [0046.378] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgrfmmBw99c6k47 / OBto0QuJnIFNLJyqocECDo7SCCTpZ1RbCx5iTwuZN2DqaI2z69bsRWKprUBSLjSQYEPs / 3qEpQV8qKZl9JdlSbA5qxTgHmQkMMKLdy0w0O4BDi1D6XhOFJOXLl3uA481oEMD + rM0p8qxBBPY32KtaQoQuahQIDAQAB-----END PUBLIC KEY-----ªð\x1a", cchString=0x0, dwFlags=0x0, pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0046.389] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x1aeb24, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x1af32c, pcbStructInfo=0x1af324 | out: pvStructInfo=0x1af32c, pcbStructInfo=0x1af324) returned 1 [0046.404] CryptAcquireContextW (in: phProv=0x1af330, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x1af330*=0x49d9a8) returned 1 [0046.422] CryptImportPublicKeyInfo (in: hCryptProv=0x49d9a8, dwCertEncodingType=0x1, pInfo=0x4a1e80*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4a1eb0*, PublicKey.cbData=0x8c, PublicKey.pbData=0x4a1eb8*, PublicKey.cUnusedBits=0x0), phKey=0x1af338 | out: phKey=0x1af338*=0x4a13c8) returned 1 [0046.451] LocalFree (hMem=0x4a1e80) returned 0x0 [0046.451] CryptEncrypt (in: hKey=0x4a13c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1af33c*=0x36, dwBufLen=0x36 | out: pbData=0x0*, pdwDataLen=0x1af33c*=0x80) returned 1 [0046.458] CryptEncrypt (in: hKey=0x4a13c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x462250*, pdwDataLen=0x1af328*=0x36, dwBufLen=0x80 | out: pbData=0x462250*, pdwDataLen=0x1af328*=0x80) returned 1 [0046.459] rand () returned 8921 [0046.459] srand (_Seed=0x1b7670) [0046.459] rand () returned 11929 [0046.459] rand () returned 19836 [0046.459] rand () returned 16364 [0046.459] rand () returned 20680 [0046.459] rand () returned 9566 [0046.459] rand () returned 4874 [0046.459] rand () returned 17647 [0046.459] rand () returned 18170 [0046.459] rand () returned 8282 [0046.459] rand () returned 16801 [0046.459] rand () returned 12737 [0046.459] rand () returned 4342 [0046.459] rand () returned 8780 [0046.459] rand () returned 26714 [0046.459] rand () returned 21293 [0046.459] rand () returned 6702 [0046.459] rand () returned 13167 [0046.459] rand () returned 20177 [0046.459] rand () returned 29037 [0046.459] rand () returned 27843 [0046.459] rand () returned 19697 [0046.459] rand () returned 714 [0046.459] rand () returned 14144 [0046.459] rand () returned 19528 [0046.459] rand () returned 6310 [0046.459] rand () returned 26907 [0046.459] rand () returned 3901 [0046.459] rand () returned 28105 [0046.459] rand () returned 22782 [0046.459] rand () returned 21958 [0046.459] rand () returned 27495 [0046.459] rand () returned 28939 [0046.459] rand () returned 3381 [0046.459] rand () returned 28517 [0046.459] rand () returned 11009 [0046.459] rand () returned 32534 [0046.459] rand () returned 9673 [0046.459] rand () returned 25035 [0046.459] rand () returned 4772 [0046.459] rand () returned 12785 [0046.460] rand () returned 23857 [0046.460] rand () returned 9192 [0046.460] rand () returned 2702 [0046.460] rand () returned 10669 [0046.460] rand () returned 2252 [0046.460] rand () returned 21741 [0046.460] rand () returned 5949 [0046.460] rand () returned 29348 [0046.460] rand () returned 30232 [0046.460] rand () returned 29873 [0046.460] rand () returned 16445 [0046.460] rand () returned 8451 [0046.460] rand () returned 10276 [0046.460] rand () returned 31571 [0046.460] rand () returned 22846 [0046.460] rand () returned 17798 [0046.460] rand () returned 2376 [0046.460] rand () returned 5154 [0046.460] rand () returned 24937 [0046.460] rand () returned 8067 [0046.460] rand () returned 25875 [0046.460] rand () returned 32697 [0046.460] rand () returned 27892 [0046.460] rand () returned 12330 [0046.460] rand () returned 16005 [0046.460] rand () returned 24942 [0046.460] rand () returned 19700 [0046.460] srand (_Seed=0x1c1edc) [0046.460] rand () returned 21656 [0046.460] rand () returned 10302 [0046.460] rand () returned 3372 [0046.460] rand () returned 1331 [0046.460] rand () returned 5461 [0046.460] rand () returned 30271 [0046.460] rand () returned 29124 [0046.460] rand () returned 28122 [0046.460] rand () returned 4441 [0046.460] rand () returned 29833 [0046.460] rand () returned 25374 [0046.460] rand () returned 2913 [0046.460] rand () returned 16704 [0046.460] rand () returned 13213 [0046.460] rand () returned 200 [0046.460] rand () returned 19442 [0046.460] rand () returned 13342 [0046.460] rand () returned 14733 [0046.460] rand () returned 24219 [0046.460] rand () returned 16850 [0046.460] rand () returned 2486 [0046.460] rand () returned 25440 [0046.460] rand () returned 28816 [0046.460] rand () returned 12260 [0046.460] rand () returned 23789 [0046.460] rand () returned 30136 [0046.460] rand () returned 26838 [0046.461] rand () returned 16239 [0046.461] rand () returned 12926 [0046.461] rand () returned 8370 [0046.461] rand () returned 15393 [0046.461] rand () returned 17184 [0046.461] rand () returned 16366 [0046.461] rand () returned 31502 [0046.461] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgrfmmBw99c6k47 / OBto0QuJnIFNLJyqocECDo7SCCTpZ1RbCx5iTwuZN2DqaI2z69bsRWKprUBSLjSQYEPs / 3qEpQV8qKZl9JdlSbA5qxTgHmQkMMKLdy0w0O4BDi1D6XhOFJOXLl3uA481oEMD + rM0p8qxBBPY32KtaQoQuahQIDAQAB-----END PUBLIC KEY-----ªð\x1a", cchString=0x0, dwFlags=0x0, pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0046.461] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x1aeb24, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x1af32c, pcbStructInfo=0x1af324 | out: pvStructInfo=0x1af32c, pcbStructInfo=0x1af324) returned 1 [0046.461] CryptAcquireContextW (in: phProv=0x1af330, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x1af330*=0x4a64d0) returned 1 [0046.462] CryptImportPublicKeyInfo (in: hCryptProv=0x4a64d0, dwCertEncodingType=0x1, pInfo=0x4a26a0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4a26d0*, PublicKey.cbData=0x8c, PublicKey.pbData=0x4a26d8*, PublicKey.cUnusedBits=0x0), phKey=0x1af338 | out: phKey=0x1af338*=0x4a1408) returned 1 [0046.462] LocalFree (hMem=0x4a26a0) returned 0x0 [0046.462] CryptEncrypt (in: hKey=0x4a1408, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1af33c*=0x36, dwBufLen=0x36 | out: pbData=0x0*, pdwDataLen=0x1af33c*=0x80) returned 1 [0046.462] CryptEncrypt (in: hKey=0x4a1408, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4604a0*, pdwDataLen=0x1af328*=0x36, dwBufLen=0x80 | out: pbData=0x4604a0*, pdwDataLen=0x1af328*=0x80) returned 1 [0046.462] rand () returned 16452 [0046.462] srand (_Seed=0x1bec1c) [0046.462] rand () returned 11998 [0046.462] rand () returned 24222 [0046.462] rand () returned 7801 [0046.462] rand () returned 10247 [0046.462] rand () returned 19630 [0046.462] rand () returned 1204 [0046.462] rand () returned 27873 [0046.462] rand () returned 15629 [0046.462] rand () returned 17956 [0046.462] rand () returned 17145 [0046.462] rand () returned 13659 [0046.462] rand () returned 20483 [0046.462] rand () returned 25935 [0046.462] rand () returned 1425 [0046.462] rand () returned 5258 [0046.462] rand () returned 10198 [0046.462] rand () returned 16120 [0046.462] rand () returned 4465 [0046.462] rand () returned 29082 [0046.462] rand () returned 11471 [0046.463] rand () returned 212 [0046.463] rand () returned 27079 [0046.463] rand () returned 24088 [0046.463] rand () returned 6421 [0046.463] rand () returned 28669 [0046.463] rand () returned 9366 [0046.463] rand () returned 10247 [0046.463] rand () returned 4724 [0046.463] rand () returned 11171 [0046.463] rand () returned 29345 [0046.463] rand () returned 21040 [0046.463] rand () returned 4444 [0046.463] rand () returned 2047 [0046.463] rand () returned 24203 [0046.463] rand () returned 26297 [0046.463] rand () returned 14637 [0046.463] rand () returned 5513 [0046.463] rand () returned 1852 [0046.463] rand () returned 22521 [0046.463] rand () returned 1457 [0046.463] rand () returned 10347 [0046.463] rand () returned 22919 [0046.463] rand () returned 25483 [0046.463] rand () returned 29162 [0046.463] rand () returned 29749 [0046.463] rand () returned 3337 [0046.463] rand () returned 11169 [0046.463] rand () returned 31759 [0046.463] rand () returned 4050 [0046.463] rand () returned 26708 [0046.463] rand () returned 31387 [0046.463] rand () returned 10961 [0046.463] rand () returned 30139 [0046.463] rand () returned 4173 [0046.463] rand () returned 25817 [0046.463] rand () returned 30690 [0046.463] rand () returned 21610 [0046.463] rand () returned 26322 [0046.463] rand () returned 15565 [0046.463] rand () returned 17336 [0046.463] rand () returned 17170 [0046.463] rand () returned 15520 [0046.463] rand () returned 3412 [0046.463] rand () returned 13967 [0046.463] rand () returned 11917 [0046.463] rand () returned 23156 [0046.463] rand () returned 3654 [0046.463] srand (_Seed=0x1b2424) [0046.463] rand () returned 8666 [0046.463] rand () returned 32058 [0046.463] rand () returned 27247 [0046.463] rand () returned 8514 [0046.463] rand () returned 19488 [0046.463] rand () returned 15729 [0046.463] rand () returned 13297 [0046.463] rand () returned 20621 [0046.464] rand () returned 7186 [0046.464] rand () returned 12388 [0046.464] rand () returned 15864 [0046.464] rand () returned 26639 [0046.464] rand () returned 6659 [0046.464] rand () returned 14701 [0046.464] rand () returned 10639 [0046.464] rand () returned 25468 [0046.464] rand () returned 30312 [0046.464] rand () returned 7290 [0046.464] rand () returned 27379 [0046.464] rand () returned 26091 [0046.464] rand () returned 2188 [0046.464] rand () returned 20987 [0046.464] rand () returned 24041 [0046.464] rand () returned 19674 [0046.464] rand () returned 9605 [0046.464] rand () returned 20991 [0046.464] rand () returned 29781 [0046.464] rand () returned 29811 [0046.464] rand () returned 25446 [0046.464] rand () returned 6809 [0046.464] rand () returned 13065 [0046.464] rand () returned 4366 [0046.464] rand () returned 7350 [0046.464] rand () returned 30089 [0046.464] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgrfmmBw99c6k47 / OBto0QuJnIFNLJyqocECDo7SCCTpZ1RbCx5iTwuZN2DqaI2z69bsRWKprUBSLjSQYEPs / 3qEpQV8qKZl9JdlSbA5qxTgHmQkMMKLdy0w0O4BDi1D6XhOFJOXLl3uA481oEMD + rM0p8qxBBPY32KtaQoQuahQIDAQAB-----END PUBLIC KEY-----ªð\x1a", cchString=0x0, dwFlags=0x0, pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0046.464] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x1aeb24, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x1af32c, pcbStructInfo=0x1af324 | out: pvStructInfo=0x1af32c, pcbStructInfo=0x1af324) returned 1 [0046.464] CryptAcquireContextW (in: phProv=0x1af330, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x1af330*=0x4a43c0) returned 1 [0046.465] CryptImportPublicKeyInfo (in: hCryptProv=0x4a43c0, dwCertEncodingType=0x1, pInfo=0x4a1e80*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4a1eb0*, PublicKey.cbData=0x8c, PublicKey.pbData=0x4a1eb8*, PublicKey.cUnusedBits=0x0), phKey=0x1af338 | out: phKey=0x1af338*=0x4a1348) returned 1 [0046.465] LocalFree (hMem=0x4a1e80) returned 0x0 [0046.465] CryptEncrypt (in: hKey=0x4a1348, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1af33c*=0x36, dwBufLen=0x36 | out: pbData=0x0*, pdwDataLen=0x1af33c*=0x80) returned 1 [0046.465] CryptEncrypt (in: hKey=0x4a1348, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x460518*, pdwDataLen=0x1af328*=0x36, dwBufLen=0x80 | out: pbData=0x460518*, pdwDataLen=0x1af328*=0x80) returned 1 [0046.465] rand () returned 28891 [0046.465] srand (_Seed=0x1cae78) [0046.465] rand () returned 10640 [0046.465] rand () returned 15402 [0046.465] rand () returned 25516 [0046.465] rand () returned 27301 [0046.465] rand () returned 19179 [0046.465] rand () returned 16760 [0046.465] rand () returned 29417 [0046.465] rand () returned 19900 [0046.465] rand () returned 9347 [0046.465] rand () returned 3167 [0046.465] rand () returned 27240 [0046.465] rand () returned 16612 [0046.465] rand () returned 5978 [0046.465] rand () returned 17192 [0046.465] rand () returned 15196 [0046.465] rand () returned 1110 [0046.465] rand () returned 26457 [0046.466] rand () returned 19563 [0046.466] rand () returned 23312 [0046.466] rand () returned 32001 [0046.466] rand () returned 22339 [0046.466] rand () returned 19248 [0046.466] rand () returned 24187 [0046.466] rand () returned 12751 [0046.466] rand () returned 16616 [0046.466] rand () returned 9813 [0046.466] rand () returned 29718 [0046.466] rand () returned 11818 [0046.466] rand () returned 32155 [0046.466] rand () returned 7984 [0046.466] rand () returned 12266 [0046.466] rand () returned 28095 [0046.466] rand () returned 13029 [0046.466] rand () returned 15220 [0046.466] rand () returned 24045 [0046.466] rand () returned 13697 [0046.466] rand () returned 22395 [0046.466] rand () returned 1625 [0046.466] rand () returned 20110 [0046.466] rand () returned 32241 [0046.466] rand () returned 1134 [0046.466] rand () returned 27895 [0046.466] rand () returned 20879 [0046.466] rand () returned 21149 [0046.466] rand () returned 26274 [0046.466] rand () returned 14835 [0046.466] rand () returned 21267 [0046.466] rand () returned 19175 [0046.466] rand () returned 25729 [0046.466] rand () returned 29790 [0046.466] rand () returned 20216 [0046.466] rand () returned 8 [0046.466] rand () returned 19440 [0046.466] rand () returned 9690 [0046.466] rand () returned 3686 [0046.466] rand () returned 9301 [0046.466] rand () returned 7298 [0046.466] rand () returned 19455 [0046.466] rand () returned 25512 [0046.466] rand () returned 8128 [0046.466] rand () returned 16876 [0046.466] rand () returned 30973 [0046.466] rand () returned 22587 [0046.466] rand () returned 21921 [0046.466] rand () returned 21178 [0046.466] rand () returned 26498 [0046.466] rand () returned 293 [0046.466] srand (_Seed=0x1aefa0) [0046.466] rand () returned 30300 [0046.466] rand () returned 4594 [0046.466] rand () returned 17998 [0046.466] rand () returned 19788 [0046.466] rand () returned 24526 [0046.466] rand () returned 14020 [0046.467] rand () returned 14241 [0046.467] rand () returned 20537 [0046.467] rand () returned 28567 [0046.467] rand () returned 26115 [0046.467] rand () returned 5467 [0046.467] rand () returned 24300 [0046.467] rand () returned 3358 [0046.467] rand () returned 27845 [0046.467] rand () returned 11847 [0046.467] rand () returned 10959 [0046.467] rand () returned 2748 [0046.467] rand () returned 24662 [0046.467] rand () returned 23956 [0046.467] rand () returned 4393 [0046.467] rand () returned 17450 [0046.467] rand () returned 4826 [0046.467] rand () returned 15587 [0046.467] rand () returned 21734 [0046.467] rand () returned 309 [0046.467] rand () returned 15156 [0046.467] rand () returned 15519 [0046.467] rand () returned 9623 [0046.467] rand () returned 28857 [0046.467] rand () returned 21543 [0046.467] rand () returned 5773 [0046.467] rand () returned 6073 [0046.467] rand () returned 20428 [0046.467] rand () returned 30395 [0046.467] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDgrfmmBw99c6k47 / OBto0QuJnIFNLJyqocECDo7SCCTpZ1RbCx5iTwuZN2DqaI2z69bsRWKprUBSLjSQYEPs / 3qEpQV8qKZl9JdlSbA5qxTgHmQkMMKLdy0w0O4BDi1D6XhOFJOXLl3uA481oEMD + rM0p8qxBBPY32KtaQoQuahQIDAQAB-----END PUBLIC KEY-----ªð\x1a", cchString=0x0, dwFlags=0x0, pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1aeb24, pcbBinary=0x1af334, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0046.467] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x1aeb24, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x1af32c, pcbStructInfo=0x1af324 | out: pvStructInfo=0x1af32c, pcbStructInfo=0x1af324) returned 1 [0046.467] CryptAcquireContextW (in: phProv=0x1af330, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x1af330*=0x4a61a0) returned 1 [0046.468] CryptImportPublicKeyInfo (in: hCryptProv=0x4a61a0, dwCertEncodingType=0x1, pInfo=0x4a1e80*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4a1eb0*, PublicKey.cbData=0x8c, PublicKey.pbData=0x4a1eb8*, PublicKey.cUnusedBits=0x0), phKey=0x1af338 | out: phKey=0x1af338*=0x4a1648) returned 1 [0046.468] LocalFree (hMem=0x4a1e80) returned 0x0 [0046.468] CryptEncrypt (in: hKey=0x4a1648, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1af33c*=0x36, dwBufLen=0x36 | out: pbData=0x0*, pdwDataLen=0x1af33c*=0x80) returned 1 [0046.468] CryptEncrypt (in: hKey=0x4a1648, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x465870*, pdwDataLen=0x1af328*=0x36, dwBufLen=0x80 | out: pbData=0x465870*, pdwDataLen=0x1af328*=0x80) returned 1 [0046.469] GetCurrentProcess () returned 0xffffffff [0046.469] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1afb60 | out: TokenHandle=0x1afb60*=0xf8) returned 1 [0046.469] GetTokenInformation (in: TokenHandle=0xf8, TokenInformationClass=0x14, TokenInformation=0x1afb5c, TokenInformationLength=0x4, ReturnLength=0x1afb58 | out: TokenInformation=0x1afb5c, ReturnLength=0x1afb58) returned 1 [0046.469] CloseHandle (hObject=0xf8) returned 1 [0046.469] Wow64EnableWow64FsRedirection (Wow64FsEnableRedirection=0) returned 1 [0046.470] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0047.172] Wow64EnableWow64FsRedirection (Wow64FsEnableRedirection=1) returned 1 [0047.172] GetLogicalDriveStringsW (in: nBufferLength=0x400, lpBuffer=0x1af354 | out: lpBuffer="C:\\") returned 0x4 [0047.172] GetCurrentProcess () returned 0xffffffff [0047.172] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1afb60 | out: TokenHandle=0x1afb60*=0x208) returned 1 [0047.172] GetTokenInformation (in: TokenHandle=0x208, TokenInformationClass=0x14, TokenInformation=0x1afb54, TokenInformationLength=0x4, ReturnLength=0x1afb58 | out: TokenInformation=0x1afb54, ReturnLength=0x1afb58) returned 1 [0047.172] CloseHandle (hObject=0x208) returned 1 [0047.172] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xfb19b0, lpParameter=0x1af354, dwCreationFlags=0x2, lpThreadId=0xfb6628 | out: lpThreadId=0xfb6628*=0xaf8) returned 0x208 [0047.172] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x770a0000 [0047.173] GetCurrentProcess () returned 0xffffffff [0047.173] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1af324 | out: TokenHandle=0x1af324*=0x204) returned 1 [0048.643] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1af328 | out: lpLuid=0x1af328*(LowPart=0x14, HighPart=0)) returned 1 [0048.643] AdjustTokenPrivileges (in: TokenHandle=0x204, DisableAllPrivileges=0, NewState=0x1af330*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0048.643] CloseHandle (hObject=0x204) returned 1 [0048.644] GetProcAddress (hModule=0x770a0000, lpProcName="RtlSetProcessIsCritical") returned 0x7717644a [0048.644] RtlSetProcessIsCritical (in: NewValue=1, OldValue=0x0, IsWinlogon=0 | out: OldValue=0x0) [0048.644] WaitForMultipleObjects (nCount=0x1, lpHandles=0x465348*=0x208, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 8 os_tid = 0xadc Thread: id = 9 os_tid = 0xae0 Thread: id = 10 os_tid = 0xae4 Thread: id = 11 os_tid = 0xae8 Thread: id = 12 os_tid = 0xaec Thread: id = 14 os_tid = 0xaf8 [0048.638] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="*.*" | out: pszDest="C:\\*.*") returned="C:\\*.*" [0048.638] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 0x4d4e98 [0048.638] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0048.638] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Windows") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="MSOCache") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="PerfLogs") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="DVD Maker") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Internet Explorer") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Reference Assemblies") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Windows Defender") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Windows Mail") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Windows Media Player") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Windows NT") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Windows Sidebar") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Startup") returned -1 [0048.638] lstrcmpW (lpString1="Boot", lpString2="Temp") returned -1 [0048.638] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="Boot" | out: pszDest="C:\\Boot") returned="C:\\Boot" [0048.639] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="*.*" | out: pszDest="C:\\Boot\\*.*") returned="C:\\Boot\\*.*" [0048.639] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 0x4d4ed8 [0048.639] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0048.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.639] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="..") returned 1 [0048.639] lstrcmpW (lpString1="BCD", lpString2=".") returned 1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="Windows") returned -1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="MSOCache") returned -1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="PerfLogs") returned -1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="DVD Maker") returned -1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="Internet Explorer") returned -1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="Reference Assemblies") returned -1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="Windows Defender") returned -1 [0048.639] lstrcmpW (lpString1="BCD", lpString2="Windows Mail") returned -1 [0048.640] lstrcmpW (lpString1="BCD", lpString2="Windows Media Player") returned -1 [0048.640] lstrcmpW (lpString1="BCD", lpString2="Windows NT") returned -1 [0048.640] lstrcmpW (lpString1="BCD", lpString2="Windows Sidebar") returned -1 [0048.640] lstrcmpW (lpString1="BCD", lpString2="Startup") returned -1 [0048.640] lstrcmpW (lpString1="BCD", lpString2="Temp") returned -1 [0048.640] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="BCD" | out: pszDest="C:\\Boot\\BCD") returned="C:\\Boot\\BCD" [0048.640] PathFindExtensionW (pszPath="BCD") returned="" [0048.640] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.640] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="..") returned 1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2=".") returned 1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="MSOCache") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="PerfLogs") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="DVD Maker") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Internet Explorer") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Reference Assemblies") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Windows Defender") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Windows Mail") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Windows Media Player") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Windows NT") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Windows Sidebar") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Startup") returned -1 [0048.640] lstrcmpW (lpString1="BCD.LOG", lpString2="Temp") returned -1 [0048.640] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="BCD.LOG" | out: pszDest="C:\\Boot\\BCD.LOG") returned="C:\\Boot\\BCD.LOG" [0048.640] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0048.640] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0048.641] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="MSOCache") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="PerfLogs") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="DVD Maker") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Internet Explorer") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Reference Assemblies") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Windows Defender") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Windows Mail") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Windows Media Player") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Windows NT") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Windows Sidebar") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Startup") returned -1 [0048.641] lstrcmpW (lpString1="BCD.LOG1", lpString2="Temp") returned -1 [0048.641] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="BCD.LOG1" | out: pszDest="C:\\Boot\\BCD.LOG1") returned="C:\\Boot\\BCD.LOG1" [0048.641] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0048.641] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x20c [0048.642] GetFileSize (in: hFile=0x20c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0048.642] CreateFileMappingW (hFile=0x20c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0048.642] MapViewOfFile (hFileMappingObject=0x0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x0 [0048.642] CloseHandle (hObject=0x0) returned 0 [0048.642] CloseHandle (hObject=0x20c) returned 1 [0048.642] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0048.642] _wfopen (_FileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), _Mode="rb+") returned 0x76ea4c68 [0049.835] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0049.838] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0049.839] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0049.847] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\Boot\\BCD.LOG1.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\boot\\bcd.log1.[sepsis@protonmail.com].sepsis")) returned 1 [0049.848] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="MSOCache") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="PerfLogs") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="DVD Maker") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Internet Explorer") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Reference Assemblies") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Windows Defender") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Windows Mail") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Windows Media Player") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Windows NT") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Windows Sidebar") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Startup") returned -1 [0049.848] lstrcmpW (lpString1="BCD.LOG2", lpString2="Temp") returned -1 [0049.848] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="BCD.LOG2" | out: pszDest="C:\\Boot\\BCD.LOG2") returned="C:\\Boot\\BCD.LOG2" [0049.849] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0049.849] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0049.849] GetFileSize (in: hFile=0x204, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0049.849] CreateFileMappingW (hFile=0x204, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0049.849] MapViewOfFile (hFileMappingObject=0x0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x0 [0049.849] CloseHandle (hObject=0x0) returned 0 [0049.849] CloseHandle (hObject=0x204) returned 1 [0049.849] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0049.849] _wfopen (_FileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), _Mode="rb+") returned 0x76ea4c68 [0049.850] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0049.850] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0049.850] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0049.857] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\Boot\\BCD.LOG2.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\boot\\bcd.log2.[sepsis@protonmail.com].sepsis")) returned 1 [0049.857] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0049.857] lstrcmpW (lpString1="bg-BG", lpString2="..") returned 1 [0049.857] lstrcmpW (lpString1="bg-BG", lpString2=".") returned 1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Windows") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="MSOCache") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="PerfLogs") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="DVD Maker") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Internet Explorer") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Reference Assemblies") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Windows Defender") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Windows Mail") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Windows Media Player") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Windows NT") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Windows Sidebar") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Startup") returned -1 [0049.858] lstrcmpW (lpString1="bg-BG", lpString2="Temp") returned -1 [0049.858] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="bg-BG" | out: pszDest="C:\\Boot\\bg-BG") returned="C:\\Boot\\bg-BG" [0049.858] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\bg-BG", pszFile="*.*" | out: pszDest="C:\\Boot\\bg-BG\\*.*") returned="C:\\Boot\\bg-BG\\*.*" [0049.858] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4998 [0049.858] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0049.859] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.859] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0049.859] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0049.859] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\bg-BG", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned="C:\\Boot\\bg-BG\\bootmgr.exe.mui" [0049.859] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0049.859] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0049.943] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0049.944] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0049.944] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="MSOCache") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="PerfLogs") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="DVD Maker") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Internet Explorer") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Reference Assemblies") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Windows Defender") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Windows Mail") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Windows Media Player") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Windows NT") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Windows Sidebar") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Startup") returned -1 [0049.944] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="Temp") returned -1 [0049.944] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="BOOTSTAT.DAT" | out: pszDest="C:\\Boot\\BOOTSTAT.DAT") returned="C:\\Boot\\BOOTSTAT.DAT" [0049.944] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0049.944] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x204 [0049.945] GetFileSize (in: hFile=0x204, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0049.945] CreateFileMappingW (hFile=0x204, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10000, lpName=0x0) returned 0x21c [0049.945] MapViewOfFile (hFileMappingObject=0x21c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0049.956] CloseHandle (hObject=0x21c) returned 1 [0049.959] CloseHandle (hObject=0x204) returned 1 [0049.965] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0049.966] _wfopen (_FileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), _Mode="rb+") returned 0x76ea4c68 [0049.966] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0049.966] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0049.966] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0049.968] MoveFileW (lpExistingFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\Boot\\BOOTSTAT.DAT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\boot\\bootstat.dat.[sepsis@protonmail.com].sepsis")) returned 1 [0049.969] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0049.969] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0049.969] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0049.969] lstrcmpW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0049.969] lstrcmpW (lpString1="cs-CZ", lpString2="MSOCache") returned -1 [0049.969] lstrcmpW (lpString1="cs-CZ", lpString2="PerfLogs") returned -1 [0049.969] lstrcmpW (lpString1="cs-CZ", lpString2="DVD Maker") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Internet Explorer") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Reference Assemblies") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Defender") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Mail") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Media Player") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Windows NT") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Sidebar") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Startup") returned -1 [0049.970] lstrcmpW (lpString1="cs-CZ", lpString2="Temp") returned -1 [0049.970] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="cs-CZ" | out: pszDest="C:\\Boot\\cs-CZ") returned="C:\\Boot\\cs-CZ" [0049.970] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\cs-CZ", pszFile="*.*" | out: pszDest="C:\\Boot\\cs-CZ\\*.*") returned="C:\\Boot\\cs-CZ\\*.*" [0049.970] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4cd8 [0049.970] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0049.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.970] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0049.970] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.002] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.003] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.003] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.003] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.003] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.003] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.003] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.003] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\cs-CZ", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0050.003] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.003] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.003] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.003] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.004] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.004] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.004] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\cs-CZ", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned="C:\\Boot\\cs-CZ\\memtest.exe.mui" [0050.004] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.004] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.010] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.010] FindClose (in: hFindFile=0x4d4cd8 | out: hFindFile=0x4d4cd8) returned 1 [0050.010] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Windows") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="MSOCache") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="PerfLogs") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="DVD Maker") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Internet Explorer") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Reference Assemblies") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Windows Defender") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Windows Mail") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Windows Media Player") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Windows NT") returned -1 [0050.010] lstrcmpW (lpString1="da-DK", lpString2="Windows Sidebar") returned -1 [0050.011] lstrcmpW (lpString1="da-DK", lpString2="Startup") returned -1 [0050.011] lstrcmpW (lpString1="da-DK", lpString2="Temp") returned -1 [0050.011] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="da-DK" | out: pszDest="C:\\Boot\\da-DK") returned="C:\\Boot\\da-DK" [0050.011] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\da-DK", pszFile="*.*" | out: pszDest="C:\\Boot\\da-DK\\*.*") returned="C:\\Boot\\da-DK\\*.*" [0050.011] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4b58 [0050.011] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.011] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.011] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.011] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\da-DK", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="C:\\Boot\\da-DK\\bootmgr.exe.mui" [0050.012] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.012] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.012] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.012] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\da-DK", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\da-DK\\memtest.exe.mui") returned="C:\\Boot\\da-DK\\memtest.exe.mui" [0050.012] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.012] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.013] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.013] FindClose (in: hFindFile=0x4d4b58 | out: hFindFile=0x4d4b58) returned 1 [0050.013] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="Windows") returned -1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="MSOCache") returned -1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="PerfLogs") returned -1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="DVD Maker") returned -1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="Internet Explorer") returned -1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="Reference Assemblies") returned -1 [0050.013] lstrcmpW (lpString1="de-DE", lpString2="Windows Defender") returned -1 [0050.014] lstrcmpW (lpString1="de-DE", lpString2="Windows Mail") returned -1 [0050.014] lstrcmpW (lpString1="de-DE", lpString2="Windows Media Player") returned -1 [0050.014] lstrcmpW (lpString1="de-DE", lpString2="Windows NT") returned -1 [0050.014] lstrcmpW (lpString1="de-DE", lpString2="Windows Sidebar") returned -1 [0050.014] lstrcmpW (lpString1="de-DE", lpString2="Startup") returned -1 [0050.014] lstrcmpW (lpString1="de-DE", lpString2="Temp") returned -1 [0050.014] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="de-DE" | out: pszDest="C:\\Boot\\de-DE") returned="C:\\Boot\\de-DE" [0050.014] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\de-DE", pszFile="*.*" | out: pszDest="C:\\Boot\\de-DE\\*.*") returned="C:\\Boot\\de-DE\\*.*" [0050.014] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4b18 [0050.014] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.014] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.014] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.014] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.017] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.017] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.017] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.017] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.017] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.017] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\de-DE", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="C:\\Boot\\de-DE\\bootmgr.exe.mui" [0050.017] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.017] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.018] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.018] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.018] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\de-DE", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\de-DE\\memtest.exe.mui") returned="C:\\Boot\\de-DE\\memtest.exe.mui" [0050.018] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.019] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.019] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.019] FindClose (in: hFindFile=0x4d4b18 | out: hFindFile=0x4d4b18) returned 1 [0050.019] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.019] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0050.019] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0050.019] lstrcmpW (lpString1="el-GR", lpString2="Windows") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="MSOCache") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="PerfLogs") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="DVD Maker") returned 1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Internet Explorer") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Reference Assemblies") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Windows Defender") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Windows Mail") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Windows Media Player") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Windows NT") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Windows Sidebar") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Startup") returned -1 [0050.020] lstrcmpW (lpString1="el-GR", lpString2="Temp") returned -1 [0050.020] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="el-GR" | out: pszDest="C:\\Boot\\el-GR") returned="C:\\Boot\\el-GR" [0050.020] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\el-GR", pszFile="*.*" | out: pszDest="C:\\Boot\\el-GR\\*.*") returned="C:\\Boot\\el-GR\\*.*" [0050.020] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4798 [0050.020] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.020] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.020] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.020] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.020] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.020] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.020] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.020] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.020] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.021] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.021] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\el-GR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="C:\\Boot\\el-GR\\bootmgr.exe.mui" [0050.021] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.021] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.022] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.022] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.022] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\el-GR", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\el-GR\\memtest.exe.mui") returned="C:\\Boot\\el-GR\\memtest.exe.mui" [0050.022] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.022] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.022] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.022] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0050.023] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="..") returned 1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2=".") returned 1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Windows") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="MSOCache") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="PerfLogs") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="DVD Maker") returned 1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Internet Explorer") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Reference Assemblies") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Windows Defender") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Windows Mail") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Windows Media Player") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Windows NT") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Windows Sidebar") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Startup") returned -1 [0050.023] lstrcmpW (lpString1="en-GB", lpString2="Temp") returned -1 [0050.023] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="en-GB" | out: pszDest="C:\\Boot\\en-GB") returned="C:\\Boot\\en-GB" [0050.023] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\en-GB", pszFile="*.*" | out: pszDest="C:\\Boot\\en-GB\\*.*") returned="C:\\Boot\\en-GB\\*.*" [0050.023] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4798 [0050.023] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.023] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.023] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.024] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.024] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\en-GB", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned="C:\\Boot\\en-GB\\bootmgr.exe.mui" [0050.024] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.024] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.044] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.044] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0050.044] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0050.044] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Windows") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="MSOCache") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="PerfLogs") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="DVD Maker") returned 1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Internet Explorer") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Reference Assemblies") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Windows Defender") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Windows Mail") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Windows Media Player") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Windows NT") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Windows Sidebar") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Startup") returned -1 [0050.044] lstrcmpW (lpString1="en-US", lpString2="Temp") returned -1 [0050.044] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="en-US" | out: pszDest="C:\\Boot\\en-US") returned="C:\\Boot\\en-US" [0050.044] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\en-US", pszFile="*.*" | out: pszDest="C:\\Boot\\en-US\\*.*") returned="C:\\Boot\\en-US\\*.*" [0050.044] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4818 [0050.044] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.044] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.045] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.045] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\en-US", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\en-US\\bootmgr.exe.mui") returned="C:\\Boot\\en-US\\bootmgr.exe.mui" [0050.045] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.045] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.045] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.045] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.045] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.045] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.045] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.045] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.046] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.046] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\en-US", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\en-US\\memtest.exe.mui") returned="C:\\Boot\\en-US\\memtest.exe.mui" [0050.046] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.046] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.047] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.047] FindClose (in: hFindFile=0x4d4818 | out: hFindFile=0x4d4818) returned 1 [0050.047] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Windows") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="MSOCache") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="PerfLogs") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="DVD Maker") returned 1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Internet Explorer") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Reference Assemblies") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Windows Defender") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Windows Mail") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Windows Media Player") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Windows NT") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Windows Sidebar") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Startup") returned -1 [0050.047] lstrcmpW (lpString1="es-ES", lpString2="Temp") returned -1 [0050.047] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="es-ES" | out: pszDest="C:\\Boot\\es-ES") returned="C:\\Boot\\es-ES" [0050.047] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\es-ES", pszFile="*.*" | out: pszDest="C:\\Boot\\es-ES\\*.*") returned="C:\\Boot\\es-ES\\*.*" [0050.047] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4898 [0050.047] FindNextFileW (in: hFindFile=0x4d4898, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.047] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.047] FindNextFileW (in: hFindFile=0x4d4898, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.047] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.048] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.048] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\es-ES", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="C:\\Boot\\es-ES\\bootmgr.exe.mui" [0050.048] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.048] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.049] FindNextFileW (in: hFindFile=0x4d4898, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.049] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.049] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\es-ES", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\es-ES\\memtest.exe.mui") returned="C:\\Boot\\es-ES\\memtest.exe.mui" [0050.049] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.049] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.050] FindNextFileW (in: hFindFile=0x4d4898, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.050] FindClose (in: hFindFile=0x4d4898 | out: hFindFile=0x4d4898) returned 1 [0050.051] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="..") returned 1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2=".") returned 1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Windows") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="MSOCache") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="PerfLogs") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="DVD Maker") returned 1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Internet Explorer") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Reference Assemblies") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Windows Defender") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Windows Mail") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Windows Media Player") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Windows NT") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Windows Sidebar") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Startup") returned -1 [0050.051] lstrcmpW (lpString1="et-EE", lpString2="Temp") returned -1 [0050.051] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="et-EE" | out: pszDest="C:\\Boot\\et-EE") returned="C:\\Boot\\et-EE" [0050.051] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\et-EE", pszFile="*.*" | out: pszDest="C:\\Boot\\et-EE\\*.*") returned="C:\\Boot\\et-EE\\*.*" [0050.051] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4e18 [0050.052] FindNextFileW (in: hFindFile=0x4d4e18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.052] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.052] FindNextFileW (in: hFindFile=0x4d4e18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.052] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.052] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\et-EE", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned="C:\\Boot\\et-EE\\bootmgr.exe.mui" [0050.052] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.052] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.053] FindNextFileW (in: hFindFile=0x4d4e18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.053] FindClose (in: hFindFile=0x4d4e18 | out: hFindFile=0x4d4e18) returned 1 [0050.054] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Windows") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="MSOCache") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="PerfLogs") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="DVD Maker") returned 1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Internet Explorer") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Reference Assemblies") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Windows Defender") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Windows Mail") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Windows Media Player") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Windows NT") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Windows Sidebar") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Startup") returned -1 [0050.054] lstrcmpW (lpString1="fi-FI", lpString2="Temp") returned -1 [0050.054] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="fi-FI" | out: pszDest="C:\\Boot\\fi-FI") returned="C:\\Boot\\fi-FI" [0050.054] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\fi-FI", pszFile="*.*" | out: pszDest="C:\\Boot\\fi-FI\\*.*") returned="C:\\Boot\\fi-FI\\*.*" [0050.054] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4918 [0050.054] FindNextFileW (in: hFindFile=0x4d4918, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.054] FindNextFileW (in: hFindFile=0x4d4918, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.054] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.054] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.054] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.054] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.054] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.055] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.055] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\fi-FI", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0050.055] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.055] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.055] FindNextFileW (in: hFindFile=0x4d4918, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.055] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.055] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.055] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.055] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.056] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.056] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\fi-FI", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\fi-FI\\memtest.exe.mui") returned="C:\\Boot\\fi-FI\\memtest.exe.mui" [0050.057] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.057] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.058] FindNextFileW (in: hFindFile=0x4d4918, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.058] FindClose (in: hFindFile=0x4d4918 | out: hFindFile=0x4d4918) returned 1 [0050.058] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Windows") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="MSOCache") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="PerfLogs") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="DVD Maker") returned 1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Internet Explorer") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Reference Assemblies") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Windows Defender") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Windows Mail") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Windows Media Player") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Windows NT") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Windows Sidebar") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Startup") returned -1 [0050.058] lstrcmpW (lpString1="Fonts", lpString2="Temp") returned -1 [0050.058] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="Fonts" | out: pszDest="C:\\Boot\\Fonts") returned="C:\\Boot\\Fonts" [0050.058] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="*.*" | out: pszDest="C:\\Boot\\Fonts\\*.*") returned="C:\\Boot\\Fonts\\*.*" [0050.058] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4798 [0050.066] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.066] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="MSOCache") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="PerfLogs") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="DVD Maker") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Internet Explorer") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Windows Defender") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Windows Mail") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Windows NT") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Startup") returned -1 [0050.066] lstrcmpW (lpString1="chs_boot.ttf", lpString2="Temp") returned -1 [0050.066] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="chs_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\chs_boot.ttf") returned="C:\\Boot\\Fonts\\chs_boot.ttf" [0050.066] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0050.066] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.066] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.066] lstrcmpW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0050.066] lstrcmpW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0050.066] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="MSOCache") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="PerfLogs") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="DVD Maker") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Internet Explorer") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Windows Defender") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Windows Mail") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Windows NT") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Startup") returned -1 [0050.067] lstrcmpW (lpString1="cht_boot.ttf", lpString2="Temp") returned -1 [0050.067] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="cht_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\cht_boot.ttf") returned="C:\\Boot\\Fonts\\cht_boot.ttf" [0050.067] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0050.067] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.068] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="MSOCache") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="PerfLogs") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="DVD Maker") returned 1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Windows Defender") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Windows Mail") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Windows NT") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.068] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Startup") returned -1 [0050.069] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="Temp") returned -1 [0050.069] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="jpn_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\jpn_boot.ttf") returned="C:\\Boot\\Fonts\\jpn_boot.ttf" [0050.069] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0050.069] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.069] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="MSOCache") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="PerfLogs") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="DVD Maker") returned 1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Windows Defender") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Windows Mail") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Windows NT") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Startup") returned -1 [0050.069] lstrcmpW (lpString1="kor_boot.ttf", lpString2="Temp") returned -1 [0050.069] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="kor_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\kor_boot.ttf") returned="C:\\Boot\\Fonts\\kor_boot.ttf" [0050.069] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0050.069] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.069] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.069] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="..") returned 1 [0050.069] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2=".") returned 1 [0050.069] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Windows") returned -1 [0050.069] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="MSOCache") returned -1 [0050.069] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="PerfLogs") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="DVD Maker") returned 1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Windows Defender") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Windows Mail") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Windows NT") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Startup") returned -1 [0050.070] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="Temp") returned -1 [0050.070] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="malgunn_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned="C:\\Boot\\Fonts\\malgunn_boot.ttf" [0050.070] PathFindExtensionW (pszPath="malgunn_boot.ttf") returned=".ttf" [0050.070] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.070] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.070] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="..") returned 1 [0050.070] lstrcmpW (lpString1="malgun_boot.ttf", lpString2=".") returned 1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Windows") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="MSOCache") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="PerfLogs") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="DVD Maker") returned 1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Windows Defender") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Windows Mail") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Windows NT") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Startup") returned -1 [0050.071] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="Temp") returned -1 [0050.071] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="malgun_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\malgun_boot.ttf") returned="C:\\Boot\\Fonts\\malgun_boot.ttf" [0050.071] PathFindExtensionW (pszPath="malgun_boot.ttf") returned=".ttf" [0050.071] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.071] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.071] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="..") returned 1 [0050.071] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2=".") returned 1 [0050.071] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Windows") returned -1 [0050.071] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="MSOCache") returned -1 [0050.071] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="PerfLogs") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="DVD Maker") returned 1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Windows Defender") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Windows Mail") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Windows NT") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Startup") returned -1 [0050.072] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="Temp") returned -1 [0050.072] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="meiryon_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\meiryon_boot.ttf") returned="C:\\Boot\\Fonts\\meiryon_boot.ttf" [0050.072] PathFindExtensionW (pszPath="meiryon_boot.ttf") returned=".ttf" [0050.072] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.077] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="..") returned 1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2=".") returned 1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Windows") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="MSOCache") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="PerfLogs") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="DVD Maker") returned 1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Windows Defender") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Windows Mail") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Windows NT") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Startup") returned -1 [0050.077] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="Temp") returned -1 [0050.077] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="meiryo_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\meiryo_boot.ttf") returned="C:\\Boot\\Fonts\\meiryo_boot.ttf" [0050.077] PathFindExtensionW (pszPath="meiryo_boot.ttf") returned=".ttf" [0050.077] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.078] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="..") returned 1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2=".") returned 1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Windows") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="MSOCache") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="PerfLogs") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="DVD Maker") returned 1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Windows Defender") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Windows Mail") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Windows NT") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Startup") returned -1 [0050.078] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="Temp") returned -1 [0050.078] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="msjhn_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\msjhn_boot.ttf") returned="C:\\Boot\\Fonts\\msjhn_boot.ttf" [0050.078] PathFindExtensionW (pszPath="msjhn_boot.ttf") returned=".ttf" [0050.078] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.078] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="..") returned 1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2=".") returned 1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Windows") returned -1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="MSOCache") returned -1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="PerfLogs") returned -1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="DVD Maker") returned 1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Windows Defender") returned -1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Windows Mail") returned -1 [0050.078] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.079] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Windows NT") returned -1 [0050.079] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.079] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Startup") returned -1 [0050.079] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="Temp") returned -1 [0050.079] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="msjh_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\msjh_boot.ttf") returned="C:\\Boot\\Fonts\\msjh_boot.ttf" [0050.079] PathFindExtensionW (pszPath="msjh_boot.ttf") returned=".ttf" [0050.079] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.079] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="..") returned 1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2=".") returned 1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Windows") returned -1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="MSOCache") returned 1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="PerfLogs") returned -1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="DVD Maker") returned 1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.079] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.080] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Windows Defender") returned -1 [0050.080] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Windows Mail") returned -1 [0050.080] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.080] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Windows NT") returned -1 [0050.080] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.080] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Startup") returned -1 [0050.080] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="Temp") returned -1 [0050.080] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="msyhn_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned="C:\\Boot\\Fonts\\msyhn_boot.ttf" [0050.080] PathFindExtensionW (pszPath="msyhn_boot.ttf") returned=".ttf" [0050.080] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.080] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="..") returned 1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2=".") returned 1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Windows") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="MSOCache") returned 1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="PerfLogs") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="DVD Maker") returned 1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Reference Assemblies") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Windows Defender") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Windows Mail") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Windows NT") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Startup") returned -1 [0050.080] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="Temp") returned -1 [0050.080] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="msyh_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\msyh_boot.ttf") returned="C:\\Boot\\Fonts\\msyh_boot.ttf" [0050.080] PathFindExtensionW (pszPath="msyh_boot.ttf") returned=".ttf" [0050.080] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.080] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.080] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="..") returned 1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2=".") returned 1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Windows") returned -1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="MSOCache") returned 1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="PerfLogs") returned 1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="DVD Maker") returned 1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Reference Assemblies") returned 1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Windows Defender") returned -1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Windows Mail") returned -1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Windows NT") returned -1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Startup") returned -1 [0050.081] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="Temp") returned -1 [0050.081] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="segmono_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\segmono_boot.ttf") returned="C:\\Boot\\Fonts\\segmono_boot.ttf" [0050.081] PathFindExtensionW (pszPath="segmono_boot.ttf") returned=".ttf" [0050.081] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.081] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="..") returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2=".") returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Windows") returned -1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="MSOCache") returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="PerfLogs") returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="DVD Maker") returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Internet Explorer") returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Reference Assemblies") returned 1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Windows Defender") returned -1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Windows Mail") returned -1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Windows Media Player") returned -1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Windows NT") returned -1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Windows Sidebar") returned -1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Startup") returned -1 [0050.082] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="Temp") returned -1 [0050.082] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="segoen_slboot.ttf" | out: pszDest="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned="C:\\Boot\\Fonts\\segoen_slboot.ttf" [0050.082] PathFindExtensionW (pszPath="segoen_slboot.ttf") returned=".ttf" [0050.082] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.107] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="..") returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2=".") returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Windows") returned -1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="MSOCache") returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="PerfLogs") returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="DVD Maker") returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Internet Explorer") returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Reference Assemblies") returned 1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Windows Defender") returned -1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Windows Mail") returned -1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Windows Media Player") returned -1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Windows NT") returned -1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Windows Sidebar") returned -1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Startup") returned -1 [0050.107] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="Temp") returned -1 [0050.108] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="segoe_slboot.ttf" | out: pszDest="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned="C:\\Boot\\Fonts\\segoe_slboot.ttf" [0050.108] PathFindExtensionW (pszPath="segoe_slboot.ttf") returned=".ttf" [0050.108] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.108] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="MSOCache") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="PerfLogs") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="DVD Maker") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Internet Explorer") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Reference Assemblies") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Windows Defender") returned -1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Windows Mail") returned -1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Windows Media Player") returned -1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Windows NT") returned -1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Windows Sidebar") returned -1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Startup") returned 1 [0050.108] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="Temp") returned 1 [0050.108] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Fonts", pszFile="wgl4_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="C:\\Boot\\Fonts\\wgl4_boot.ttf" [0050.108] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0050.108] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.108] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.108] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0050.109] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Windows") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="MSOCache") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="PerfLogs") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="DVD Maker") returned 1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Internet Explorer") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Reference Assemblies") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Windows Defender") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Windows Mail") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Windows Media Player") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Windows NT") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Windows Sidebar") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Startup") returned -1 [0050.109] lstrcmpW (lpString1="fr-FR", lpString2="Temp") returned -1 [0050.109] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="fr-FR" | out: pszDest="C:\\Boot\\fr-FR") returned="C:\\Boot\\fr-FR" [0050.109] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\fr-FR", pszFile="*.*" | out: pszDest="C:\\Boot\\fr-FR\\*.*") returned="C:\\Boot\\fr-FR\\*.*" [0050.109] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4dd8 [0050.109] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.109] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.109] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.109] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.110] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.110] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.110] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.110] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.110] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.110] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.110] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.110] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\fr-FR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0050.110] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.110] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.110] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.110] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.111] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.111] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.111] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.111] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.111] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\fr-FR", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\fr-FR\\memtest.exe.mui") returned="C:\\Boot\\fr-FR\\memtest.exe.mui" [0050.111] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.111] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.111] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.111] FindClose (in: hFindFile=0x4d4dd8 | out: hFindFile=0x4d4dd8) returned 1 [0050.111] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="..") returned 1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2=".") returned 1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Windows") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="MSOCache") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="PerfLogs") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="DVD Maker") returned 1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Internet Explorer") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Reference Assemblies") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Windows Defender") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Windows Mail") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Windows Media Player") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Windows NT") returned -1 [0050.111] lstrcmpW (lpString1="hr-HR", lpString2="Windows Sidebar") returned -1 [0050.112] lstrcmpW (lpString1="hr-HR", lpString2="Startup") returned -1 [0050.112] lstrcmpW (lpString1="hr-HR", lpString2="Temp") returned -1 [0050.112] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="hr-HR" | out: pszDest="C:\\Boot\\hr-HR") returned="C:\\Boot\\hr-HR" [0050.112] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\hr-HR", pszFile="*.*" | out: pszDest="C:\\Boot\\hr-HR\\*.*") returned="C:\\Boot\\hr-HR\\*.*" [0050.112] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4c18 [0050.112] FindNextFileW (in: hFindFile=0x4d4c18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.112] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.112] FindNextFileW (in: hFindFile=0x4d4c18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.112] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.112] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\hr-HR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned="C:\\Boot\\hr-HR\\bootmgr.exe.mui" [0050.112] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.112] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.113] FindNextFileW (in: hFindFile=0x4d4c18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.113] FindClose (in: hFindFile=0x4d4c18 | out: hFindFile=0x4d4c18) returned 1 [0050.113] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Windows") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="MSOCache") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="PerfLogs") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="DVD Maker") returned 1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Internet Explorer") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Reference Assemblies") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Windows Defender") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Windows Mail") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Windows Media Player") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Windows NT") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Windows Sidebar") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Startup") returned -1 [0050.113] lstrcmpW (lpString1="hu-HU", lpString2="Temp") returned -1 [0050.113] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="hu-HU" | out: pszDest="C:\\Boot\\hu-HU") returned="C:\\Boot\\hu-HU" [0050.113] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\hu-HU", pszFile="*.*" | out: pszDest="C:\\Boot\\hu-HU\\*.*") returned="C:\\Boot\\hu-HU\\*.*" [0050.113] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4d98 [0050.113] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.113] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.113] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.113] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.114] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.114] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.114] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.114] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.114] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\hu-HU", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0050.114] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.114] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.114] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.114] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.114] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\hu-HU", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\hu-HU\\memtest.exe.mui") returned="C:\\Boot\\hu-HU\\memtest.exe.mui" [0050.114] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.115] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.115] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.115] FindClose (in: hFindFile=0x4d4d98 | out: hFindFile=0x4d4d98) returned 1 [0050.115] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.115] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0050.115] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0050.115] lstrcmpW (lpString1="it-IT", lpString2="Windows") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="MSOCache") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="PerfLogs") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="DVD Maker") returned 1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Internet Explorer") returned 1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Reference Assemblies") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Windows Defender") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Windows Mail") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Windows Media Player") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Windows NT") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Windows Sidebar") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Startup") returned -1 [0050.116] lstrcmpW (lpString1="it-IT", lpString2="Temp") returned -1 [0050.116] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="it-IT" | out: pszDest="C:\\Boot\\it-IT") returned="C:\\Boot\\it-IT" [0050.116] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\it-IT", pszFile="*.*" | out: pszDest="C:\\Boot\\it-IT\\*.*") returned="C:\\Boot\\it-IT\\*.*" [0050.116] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4e58 [0050.116] FindNextFileW (in: hFindFile=0x4d4e58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.116] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.116] FindNextFileW (in: hFindFile=0x4d4e58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.116] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.116] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.116] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.116] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.117] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.117] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.117] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.118] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.118] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.118] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.118] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.118] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.118] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.319] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.319] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.319] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\it-IT", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="C:\\Boot\\it-IT\\bootmgr.exe.mui" [0050.319] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.319] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.320] FindNextFileW (in: hFindFile=0x4d4e58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.320] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.320] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.320] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.320] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.320] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.320] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.320] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.321] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.321] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\it-IT", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\it-IT\\memtest.exe.mui") returned="C:\\Boot\\it-IT\\memtest.exe.mui" [0050.321] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.321] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.327] FindNextFileW (in: hFindFile=0x4d4e58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.327] FindClose (in: hFindFile=0x4d4e58 | out: hFindFile=0x4d4e58) returned 1 [0050.327] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Windows") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="MSOCache") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="PerfLogs") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="DVD Maker") returned 1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Internet Explorer") returned 1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Reference Assemblies") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Windows Defender") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Windows Mail") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Windows Media Player") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Windows NT") returned -1 [0050.327] lstrcmpW (lpString1="ja-JP", lpString2="Windows Sidebar") returned -1 [0050.328] lstrcmpW (lpString1="ja-JP", lpString2="Startup") returned -1 [0050.328] lstrcmpW (lpString1="ja-JP", lpString2="Temp") returned -1 [0050.328] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="ja-JP" | out: pszDest="C:\\Boot\\ja-JP") returned="C:\\Boot\\ja-JP" [0050.328] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ja-JP", pszFile="*.*" | out: pszDest="C:\\Boot\\ja-JP\\*.*") returned="C:\\Boot\\ja-JP\\*.*" [0050.328] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4dd8 [0050.328] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.328] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.328] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ja-JP", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0050.328] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.328] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.335] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.335] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.335] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ja-JP", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\ja-JP\\memtest.exe.mui") returned="C:\\Boot\\ja-JP\\memtest.exe.mui" [0050.335] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.335] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.336] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0050.336] FindClose (in: hFindFile=0x4d4dd8 | out: hFindFile=0x4d4dd8) returned 1 [0050.336] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Windows") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="MSOCache") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="PerfLogs") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="DVD Maker") returned 1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Internet Explorer") returned 1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Reference Assemblies") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Windows Defender") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Windows Mail") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Windows Media Player") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Windows NT") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Windows Sidebar") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Startup") returned -1 [0050.336] lstrcmpW (lpString1="ko-KR", lpString2="Temp") returned -1 [0050.336] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="ko-KR" | out: pszDest="C:\\Boot\\ko-KR") returned="C:\\Boot\\ko-KR" [0050.336] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ko-KR", pszFile="*.*" | out: pszDest="C:\\Boot\\ko-KR\\*.*") returned="C:\\Boot\\ko-KR\\*.*" [0050.337] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4858 [0050.337] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.337] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0050.337] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0050.337] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ko-KR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0050.337] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0050.337] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0050.339] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0050.339] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0050.340] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0050.340] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0050.340] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ko-KR", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\ko-KR\\memtest.exe.mui") returned="C:\\Boot\\ko-KR\\memtest.exe.mui" [0050.340] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0050.340] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0053.892] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0053.892] FindClose (in: hFindFile=0x4d4858 | out: hFindFile=0x4d4858) returned 1 [0053.892] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0053.892] lstrcmpW (lpString1="lt-LT", lpString2="..") returned 1 [0053.892] lstrcmpW (lpString1="lt-LT", lpString2=".") returned 1 [0053.892] lstrcmpW (lpString1="lt-LT", lpString2="Windows") returned -1 [0053.892] lstrcmpW (lpString1="lt-LT", lpString2="MSOCache") returned -1 [0053.892] lstrcmpW (lpString1="lt-LT", lpString2="PerfLogs") returned -1 [0053.892] lstrcmpW (lpString1="lt-LT", lpString2="DVD Maker") returned 1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Internet Explorer") returned 1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Reference Assemblies") returned -1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Windows Defender") returned -1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Windows Mail") returned -1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Windows Media Player") returned -1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Windows NT") returned -1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Windows Sidebar") returned -1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Startup") returned -1 [0053.893] lstrcmpW (lpString1="lt-LT", lpString2="Temp") returned -1 [0053.893] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="lt-LT" | out: pszDest="C:\\Boot\\lt-LT") returned="C:\\Boot\\lt-LT" [0053.893] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\lt-LT", pszFile="*.*" | out: pszDest="C:\\Boot\\lt-LT\\*.*") returned="C:\\Boot\\lt-LT\\*.*" [0053.893] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4798 [0053.893] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0053.893] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.893] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0053.893] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0053.894] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0053.894] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0053.894] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0053.894] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0053.894] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0053.894] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0053.894] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\lt-LT", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned="C:\\Boot\\lt-LT\\bootmgr.exe.mui" [0053.894] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0053.894] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0053.913] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0053.913] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0053.913] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="..") returned 1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2=".") returned 1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Windows") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="MSOCache") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="PerfLogs") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="DVD Maker") returned 1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Internet Explorer") returned 1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Reference Assemblies") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Windows Defender") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Windows Mail") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Windows Media Player") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Windows NT") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Windows Sidebar") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Startup") returned -1 [0053.913] lstrcmpW (lpString1="lv-LV", lpString2="Temp") returned -1 [0053.913] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="lv-LV" | out: pszDest="C:\\Boot\\lv-LV") returned="C:\\Boot\\lv-LV" [0053.913] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\lv-LV", pszFile="*.*" | out: pszDest="C:\\Boot\\lv-LV\\*.*") returned="C:\\Boot\\lv-LV\\*.*" [0053.913] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4998 [0053.913] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0053.913] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.913] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0053.913] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0053.914] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0053.914] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\lv-LV", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned="C:\\Boot\\lv-LV\\bootmgr.exe.mui" [0053.914] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0053.914] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0053.914] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0053.914] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0053.914] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="..") returned 1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2=".") returned 1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="MSOCache") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="PerfLogs") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="DVD Maker") returned 1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Internet Explorer") returned 1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Reference Assemblies") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Windows Defender") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Windows Mail") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Windows Media Player") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Windows NT") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Windows Sidebar") returned -1 [0053.914] lstrcmpW (lpString1="memtest.exe", lpString2="Startup") returned -1 [0053.915] lstrcmpW (lpString1="memtest.exe", lpString2="Temp") returned -1 [0053.915] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="memtest.exe" | out: pszDest="C:\\Boot\\memtest.exe") returned="C:\\Boot\\memtest.exe" [0053.915] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0053.915] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0053.962] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0053.962] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0053.962] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0053.962] lstrcmpW (lpString1="nb-NO", lpString2="Windows") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="MSOCache") returned 1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="PerfLogs") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="DVD Maker") returned 1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Internet Explorer") returned 1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Reference Assemblies") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Windows Defender") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Windows Mail") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Windows Media Player") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Windows NT") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Windows Sidebar") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Startup") returned -1 [0053.963] lstrcmpW (lpString1="nb-NO", lpString2="Temp") returned -1 [0053.963] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="nb-NO" | out: pszDest="C:\\Boot\\nb-NO") returned="C:\\Boot\\nb-NO" [0053.963] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\nb-NO", pszFile="*.*" | out: pszDest="C:\\Boot\\nb-NO\\*.*") returned="C:\\Boot\\nb-NO\\*.*" [0053.963] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4998 [0053.963] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0053.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.963] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0053.963] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0053.964] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0053.964] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0053.964] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0053.964] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0053.964] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0053.964] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0053.964] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\nb-NO", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0053.964] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0053.964] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.012] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.012] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.012] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\nb-NO", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\nb-NO\\memtest.exe.mui") returned="C:\\Boot\\nb-NO\\memtest.exe.mui" [0054.012] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.012] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.137] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.137] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0054.137] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2="Windows") returned -1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2="MSOCache") returned 1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2="PerfLogs") returned -1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2="DVD Maker") returned 1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2="Internet Explorer") returned 1 [0054.137] lstrcmpW (lpString1="nl-NL", lpString2="Reference Assemblies") returned -1 [0054.138] lstrcmpW (lpString1="nl-NL", lpString2="Windows Defender") returned -1 [0054.138] lstrcmpW (lpString1="nl-NL", lpString2="Windows Mail") returned -1 [0054.165] lstrcmpW (lpString1="nl-NL", lpString2="Windows Media Player") returned -1 [0054.165] lstrcmpW (lpString1="nl-NL", lpString2="Windows NT") returned -1 [0054.165] lstrcmpW (lpString1="nl-NL", lpString2="Windows Sidebar") returned -1 [0054.165] lstrcmpW (lpString1="nl-NL", lpString2="Startup") returned -1 [0054.165] lstrcmpW (lpString1="nl-NL", lpString2="Temp") returned -1 [0054.165] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="nl-NL" | out: pszDest="C:\\Boot\\nl-NL") returned="C:\\Boot\\nl-NL" [0054.166] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\nl-NL", pszFile="*.*" | out: pszDest="C:\\Boot\\nl-NL\\*.*") returned="C:\\Boot\\nl-NL\\*.*" [0054.166] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4958 [0054.166] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.168] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.168] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.168] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.169] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.169] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\nl-NL", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0054.169] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.169] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.259] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.259] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.259] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\nl-NL", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\nl-NL\\memtest.exe.mui") returned="C:\\Boot\\nl-NL\\memtest.exe.mui" [0054.259] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.259] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.259] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.259] FindClose (in: hFindFile=0x4d4958 | out: hFindFile=0x4d4958) returned 1 [0054.259] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.259] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0054.259] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0054.259] lstrcmpW (lpString1="pl-PL", lpString2="Windows") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="MSOCache") returned 1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="PerfLogs") returned 1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="DVD Maker") returned 1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Internet Explorer") returned 1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Reference Assemblies") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Windows Defender") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Windows Mail") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Windows Media Player") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Windows NT") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Windows Sidebar") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Startup") returned -1 [0054.260] lstrcmpW (lpString1="pl-PL", lpString2="Temp") returned -1 [0054.260] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="pl-PL" | out: pszDest="C:\\Boot\\pl-PL") returned="C:\\Boot\\pl-PL" [0054.260] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pl-PL", pszFile="*.*" | out: pszDest="C:\\Boot\\pl-PL\\*.*") returned="C:\\Boot\\pl-PL\\*.*" [0054.260] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4958 [0054.260] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.260] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.260] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.260] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pl-PL", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0054.260] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.261] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.262] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.262] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.262] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pl-PL", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\pl-PL\\memtest.exe.mui") returned="C:\\Boot\\pl-PL\\memtest.exe.mui" [0054.262] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.262] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.263] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.263] FindClose (in: hFindFile=0x4d4958 | out: hFindFile=0x4d4958) returned 1 [0054.264] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Windows") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="MSOCache") returned 1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="PerfLogs") returned 1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="DVD Maker") returned 1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Internet Explorer") returned 1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Reference Assemblies") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Windows Defender") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Windows Mail") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Windows Media Player") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Windows NT") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Windows Sidebar") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Startup") returned -1 [0054.264] lstrcmpW (lpString1="pt-BR", lpString2="Temp") returned -1 [0054.264] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="pt-BR" | out: pszDest="C:\\Boot\\pt-BR") returned="C:\\Boot\\pt-BR" [0054.264] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pt-BR", pszFile="*.*" | out: pszDest="C:\\Boot\\pt-BR\\*.*") returned="C:\\Boot\\pt-BR\\*.*" [0054.264] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4798 [0054.264] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.264] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.264] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.265] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.265] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.265] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.265] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.265] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pt-BR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0054.265] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.265] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.265] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.265] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.266] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.266] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.266] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.266] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.266] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.266] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pt-BR", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\pt-BR\\memtest.exe.mui") returned="C:\\Boot\\pt-BR\\memtest.exe.mui" [0054.266] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.266] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.266] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.266] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0054.266] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Windows") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="MSOCache") returned 1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="PerfLogs") returned 1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="DVD Maker") returned 1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Internet Explorer") returned 1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Reference Assemblies") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Windows Defender") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Windows Mail") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Windows Media Player") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Windows NT") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Windows Sidebar") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Startup") returned -1 [0054.266] lstrcmpW (lpString1="pt-PT", lpString2="Temp") returned -1 [0054.266] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="pt-PT" | out: pszDest="C:\\Boot\\pt-PT") returned="C:\\Boot\\pt-PT" [0054.266] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pt-PT", pszFile="*.*" | out: pszDest="C:\\Boot\\pt-PT\\*.*") returned="C:\\Boot\\pt-PT\\*.*" [0054.266] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4998 [0054.266] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.267] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.267] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.267] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.267] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pt-PT", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0054.267] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.267] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.268] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.268] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.268] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\pt-PT", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\pt-PT\\memtest.exe.mui") returned="C:\\Boot\\pt-PT\\memtest.exe.mui" [0054.268] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.268] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.268] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.268] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0054.268] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="..") returned 1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2=".") returned 1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="Windows") returned -1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="MSOCache") returned 1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="PerfLogs") returned 1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="DVD Maker") returned 1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="Internet Explorer") returned 1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="Reference Assemblies") returned -1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="Windows Defender") returned -1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="Windows Mail") returned -1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="Windows Media Player") returned -1 [0054.268] lstrcmpW (lpString1="qps-ploc", lpString2="Windows NT") returned -1 [0054.269] lstrcmpW (lpString1="qps-ploc", lpString2="Windows Sidebar") returned -1 [0054.269] lstrcmpW (lpString1="qps-ploc", lpString2="Startup") returned -1 [0054.269] lstrcmpW (lpString1="qps-ploc", lpString2="Temp") returned -1 [0054.269] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="qps-ploc" | out: pszDest="C:\\Boot\\qps-ploc") returned="C:\\Boot\\qps-ploc" [0054.269] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\qps-ploc", pszFile="*.*" | out: pszDest="C:\\Boot\\qps-ploc\\*.*") returned="C:\\Boot\\qps-ploc\\*.*" [0054.269] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4d18 [0054.269] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.269] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.269] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.269] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.269] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\qps-ploc", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\qps-ploc\\bootmgr.exe.mui") returned="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" [0054.269] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.269] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.269] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.269] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.269] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.269] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.270] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.270] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\qps-ploc", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\qps-ploc\\memtest.exe.mui") returned="C:\\Boot\\qps-ploc\\memtest.exe.mui" [0054.270] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.270] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.270] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.270] FindClose (in: hFindFile=0x4d4d18 | out: hFindFile=0x4d4d18) returned 1 [0054.270] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="..") returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2=".") returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="Windows") returned -1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="MSOCache") returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="PerfLogs") returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="DVD Maker") returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="Internet Explorer") returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="Reference Assemblies") returned 1 [0054.270] lstrcmpW (lpString1="Resources", lpString2="Windows Defender") returned -1 [0054.271] lstrcmpW (lpString1="Resources", lpString2="Windows Mail") returned -1 [0054.271] lstrcmpW (lpString1="Resources", lpString2="Windows Media Player") returned -1 [0054.271] lstrcmpW (lpString1="Resources", lpString2="Windows NT") returned -1 [0054.271] lstrcmpW (lpString1="Resources", lpString2="Windows Sidebar") returned -1 [0054.271] lstrcmpW (lpString1="Resources", lpString2="Startup") returned -1 [0054.271] lstrcmpW (lpString1="Resources", lpString2="Temp") returned -1 [0054.271] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="Resources" | out: pszDest="C:\\Boot\\Resources") returned="C:\\Boot\\Resources" [0054.271] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Resources", pszFile="*.*" | out: pszDest="C:\\Boot\\Resources\\*.*") returned="C:\\Boot\\Resources\\*.*" [0054.271] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4798 [0054.271] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.271] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.271] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="..") returned 1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2=".") returned 1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Windows") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="MSOCache") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="PerfLogs") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="DVD Maker") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Internet Explorer") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Reference Assemblies") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Windows Defender") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Windows Mail") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Windows Media Player") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Windows NT") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Windows Sidebar") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Startup") returned -1 [0054.271] lstrcmpW (lpString1="bootres.dll", lpString2="Temp") returned -1 [0054.271] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Resources", pszFile="bootres.dll" | out: pszDest="C:\\Boot\\Resources\\bootres.dll") returned="C:\\Boot\\Resources\\bootres.dll" [0054.271] PathFindExtensionW (pszPath="bootres.dll") returned=".dll" [0054.271] CreateFileW (lpFileName="C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.271] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0054.272] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Windows") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="MSOCache") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="PerfLogs") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="DVD Maker") returned 1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Internet Explorer") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Reference Assemblies") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Windows Defender") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Windows Mail") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Windows Media Player") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Windows NT") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Windows Sidebar") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Startup") returned -1 [0054.272] lstrcmpW (lpString1="en-US", lpString2="Temp") returned -1 [0054.272] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\Resources", pszFile="en-US" | out: pszDest="C:\\Boot\\Resources\\en-US") returned="C:\\Boot\\Resources\\en-US" [0054.272] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Boot\\Resources\\en-US", pszFile="*.*" | out: pszDest="C:\\Boot\\Resources\\en-US\\*.*") returned="C:\\Boot\\Resources\\en-US\\*.*" [0054.272] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*.*", lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 0x4d4a98 [0054.272] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0054.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.272] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="..") returned 1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2=".") returned 1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Windows") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="MSOCache") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="PerfLogs") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="DVD Maker") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Internet Explorer") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Reference Assemblies") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Windows Defender") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Windows Mail") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Windows Media Player") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Windows NT") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Windows Sidebar") returned -1 [0054.272] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Startup") returned -1 [0054.273] lstrcmpW (lpString1="bootres.dll.mui", lpString2="Temp") returned -1 [0054.273] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Boot\\Resources\\en-US", pszFile="bootres.dll.mui" | out: pszDest="C:\\Boot\\Resources\\en-US\\bootres.dll.mui") returned="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" [0054.273] PathFindExtensionW (pszPath="bootres.dll.mui") returned=".mui" [0054.273] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.273] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 0 [0054.273] FindClose (in: hFindFile=0x4d4a98 | out: hFindFile=0x4d4a98) returned 1 [0054.273] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.273] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0054.273] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="..") returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2=".") returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Windows") returned -1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="MSOCache") returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="PerfLogs") returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="DVD Maker") returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Internet Explorer") returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Reference Assemblies") returned 1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Windows Defender") returned -1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Windows Mail") returned -1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Windows Media Player") returned -1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Windows NT") returned -1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Windows Sidebar") returned -1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Startup") returned -1 [0054.273] lstrcmpW (lpString1="ro-RO", lpString2="Temp") returned -1 [0054.273] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="ro-RO" | out: pszDest="C:\\Boot\\ro-RO") returned="C:\\Boot\\ro-RO" [0054.273] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ro-RO", pszFile="*.*" | out: pszDest="C:\\Boot\\ro-RO\\*.*") returned="C:\\Boot\\ro-RO\\*.*" [0054.273] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d47d8 [0054.273] FindNextFileW (in: hFindFile=0x4d47d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.274] FindNextFileW (in: hFindFile=0x4d47d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.274] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.274] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ro-RO", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned="C:\\Boot\\ro-RO\\bootmgr.exe.mui" [0054.274] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.274] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.274] FindNextFileW (in: hFindFile=0x4d47d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.274] FindClose (in: hFindFile=0x4d47d8 | out: hFindFile=0x4d47d8) returned 1 [0054.274] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="Windows") returned -1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="MSOCache") returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="PerfLogs") returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="DVD Maker") returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="Internet Explorer") returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="Reference Assemblies") returned 1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="Windows Defender") returned -1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="Windows Mail") returned -1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="Windows Media Player") returned -1 [0054.274] lstrcmpW (lpString1="ru-RU", lpString2="Windows NT") returned -1 [0054.275] lstrcmpW (lpString1="ru-RU", lpString2="Windows Sidebar") returned -1 [0054.275] lstrcmpW (lpString1="ru-RU", lpString2="Startup") returned -1 [0054.275] lstrcmpW (lpString1="ru-RU", lpString2="Temp") returned -1 [0054.275] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="ru-RU" | out: pszDest="C:\\Boot\\ru-RU") returned="C:\\Boot\\ru-RU" [0054.275] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ru-RU", pszFile="*.*" | out: pszDest="C:\\Boot\\ru-RU\\*.*") returned="C:\\Boot\\ru-RU\\*.*" [0054.275] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4bd8 [0054.275] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.275] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.275] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.275] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ru-RU", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0054.275] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.275] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.276] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.276] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.276] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\ru-RU", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\ru-RU\\memtest.exe.mui") returned="C:\\Boot\\ru-RU\\memtest.exe.mui" [0054.276] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.276] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.276] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.276] FindClose (in: hFindFile=0x4d4bd8 | out: hFindFile=0x4d4bd8) returned 1 [0054.276] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="..") returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2=".") returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="Windows") returned -1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="MSOCache") returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="PerfLogs") returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="DVD Maker") returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="Internet Explorer") returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="Reference Assemblies") returned 1 [0054.276] lstrcmpW (lpString1="sk-SK", lpString2="Windows Defender") returned -1 [0054.277] lstrcmpW (lpString1="sk-SK", lpString2="Windows Mail") returned -1 [0054.277] lstrcmpW (lpString1="sk-SK", lpString2="Windows Media Player") returned -1 [0054.277] lstrcmpW (lpString1="sk-SK", lpString2="Windows NT") returned -1 [0054.277] lstrcmpW (lpString1="sk-SK", lpString2="Windows Sidebar") returned -1 [0054.277] lstrcmpW (lpString1="sk-SK", lpString2="Startup") returned -1 [0054.277] lstrcmpW (lpString1="sk-SK", lpString2="Temp") returned -1 [0054.277] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="sk-SK" | out: pszDest="C:\\Boot\\sk-SK") returned="C:\\Boot\\sk-SK" [0054.277] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sk-SK", pszFile="*.*" | out: pszDest="C:\\Boot\\sk-SK\\*.*") returned="C:\\Boot\\sk-SK\\*.*" [0054.277] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4d98 [0054.277] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.277] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.277] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.277] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sk-SK", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned="C:\\Boot\\sk-SK\\bootmgr.exe.mui" [0054.277] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.277] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.359] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.359] FindClose (in: hFindFile=0x4d4d98 | out: hFindFile=0x4d4d98) returned 1 [0054.359] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="..") returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2=".") returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Windows") returned -1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="MSOCache") returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="PerfLogs") returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="DVD Maker") returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Internet Explorer") returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Reference Assemblies") returned 1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Windows Defender") returned -1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Windows Mail") returned -1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Windows Media Player") returned -1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Windows NT") returned -1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Windows Sidebar") returned -1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Startup") returned -1 [0054.359] lstrcmpW (lpString1="sl-SI", lpString2="Temp") returned -1 [0054.359] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="sl-SI" | out: pszDest="C:\\Boot\\sl-SI") returned="C:\\Boot\\sl-SI" [0054.359] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sl-SI", pszFile="*.*" | out: pszDest="C:\\Boot\\sl-SI\\*.*") returned="C:\\Boot\\sl-SI\\*.*" [0054.359] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4998 [0054.360] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.360] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.360] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.360] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sl-SI", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned="C:\\Boot\\sl-SI\\bootmgr.exe.mui" [0054.360] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.360] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.361] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.361] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0054.362] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows") returned -1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="MSOCache") returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="PerfLogs") returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="DVD Maker") returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Internet Explorer") returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Reference Assemblies") returned 1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Defender") returned -1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Mail") returned -1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Media Player") returned -1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows NT") returned -1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Sidebar") returned -1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Startup") returned -1 [0054.362] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Temp") returned -1 [0054.362] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="sr-Latn-CS" | out: pszDest="C:\\Boot\\sr-Latn-CS") returned="C:\\Boot\\sr-Latn-CS" [0054.362] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sr-Latn-CS", pszFile="*.*" | out: pszDest="C:\\Boot\\sr-Latn-CS\\*.*") returned="C:\\Boot\\sr-Latn-CS\\*.*" [0054.362] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4d58 [0054.362] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.362] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.363] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.363] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.363] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.363] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.363] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sr-Latn-CS", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" [0054.363] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.363] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.363] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.363] FindClose (in: hFindFile=0x4d4d58 | out: hFindFile=0x4d4d58) returned 1 [0054.363] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows") returned -1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="MSOCache") returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="PerfLogs") returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="DVD Maker") returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Internet Explorer") returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Reference Assemblies") returned 1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Defender") returned -1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Mail") returned -1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Media Player") returned -1 [0054.363] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows NT") returned -1 [0054.364] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Sidebar") returned -1 [0054.364] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Startup") returned -1 [0054.364] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Temp") returned -1 [0054.364] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="sr-Latn-RS" | out: pszDest="C:\\Boot\\sr-Latn-RS") returned="C:\\Boot\\sr-Latn-RS" [0054.364] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sr-Latn-RS", pszFile="*.*" | out: pszDest="C:\\Boot\\sr-Latn-RS\\*.*") returned="C:\\Boot\\sr-Latn-RS\\*.*" [0054.364] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4b58 [0054.364] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.364] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.364] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.364] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.364] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sr-Latn-RS", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" [0054.364] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.364] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.420] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.421] FindClose (in: hFindFile=0x4d4b58 | out: hFindFile=0x4d4b58) returned 1 [0054.421] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="Windows") returned -1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="MSOCache") returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="PerfLogs") returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="DVD Maker") returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="Internet Explorer") returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="Reference Assemblies") returned 1 [0054.421] lstrcmpW (lpString1="sv-SE", lpString2="Windows Defender") returned -1 [0054.422] lstrcmpW (lpString1="sv-SE", lpString2="Windows Mail") returned -1 [0054.422] lstrcmpW (lpString1="sv-SE", lpString2="Windows Media Player") returned -1 [0054.422] lstrcmpW (lpString1="sv-SE", lpString2="Windows NT") returned -1 [0054.422] lstrcmpW (lpString1="sv-SE", lpString2="Windows Sidebar") returned -1 [0054.422] lstrcmpW (lpString1="sv-SE", lpString2="Startup") returned 1 [0054.422] lstrcmpW (lpString1="sv-SE", lpString2="Temp") returned -1 [0054.422] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="sv-SE" | out: pszDest="C:\\Boot\\sv-SE") returned="C:\\Boot\\sv-SE" [0054.422] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sv-SE", pszFile="*.*" | out: pszDest="C:\\Boot\\sv-SE\\*.*") returned="C:\\Boot\\sv-SE\\*.*" [0054.422] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4cd8 [0054.422] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.422] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.422] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.422] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.423] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.423] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.423] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.423] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.423] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.423] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sv-SE", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0054.423] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.423] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.423] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.423] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.424] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.424] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.424] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.424] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\sv-SE", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\sv-SE\\memtest.exe.mui") returned="C:\\Boot\\sv-SE\\memtest.exe.mui" [0054.424] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.424] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.424] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.424] FindClose (in: hFindFile=0x4d4cd8 | out: hFindFile=0x4d4cd8) returned 1 [0054.424] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Windows") returned -1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="MSOCache") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="PerfLogs") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="DVD Maker") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Internet Explorer") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Reference Assemblies") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Windows Defender") returned -1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Windows Mail") returned -1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Windows Media Player") returned -1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Windows NT") returned -1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Windows Sidebar") returned -1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Startup") returned 1 [0054.424] lstrcmpW (lpString1="tr-TR", lpString2="Temp") returned 1 [0054.425] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="tr-TR" | out: pszDest="C:\\Boot\\tr-TR") returned="C:\\Boot\\tr-TR" [0054.425] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\tr-TR", pszFile="*.*" | out: pszDest="C:\\Boot\\tr-TR\\*.*") returned="C:\\Boot\\tr-TR\\*.*" [0054.425] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4b18 [0054.425] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.425] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.425] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.425] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.425] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\tr-TR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0054.425] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.425] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.426] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.426] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.426] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\tr-TR", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\tr-TR\\memtest.exe.mui") returned="C:\\Boot\\tr-TR\\memtest.exe.mui" [0054.426] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.426] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.426] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.426] FindClose (in: hFindFile=0x4d4b18 | out: hFindFile=0x4d4b18) returned 1 [0054.427] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="..") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2=".") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Windows") returned -1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="MSOCache") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="PerfLogs") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="DVD Maker") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Internet Explorer") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Reference Assemblies") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Windows Defender") returned -1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Windows Mail") returned -1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Windows Media Player") returned -1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Windows NT") returned -1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Windows Sidebar") returned -1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Startup") returned 1 [0054.427] lstrcmpW (lpString1="uk-UA", lpString2="Temp") returned 1 [0054.427] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="uk-UA" | out: pszDest="C:\\Boot\\uk-UA") returned="C:\\Boot\\uk-UA" [0054.427] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\uk-UA", pszFile="*.*" | out: pszDest="C:\\Boot\\uk-UA\\*.*") returned="C:\\Boot\\uk-UA\\*.*" [0054.427] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d47d8 [0054.427] FindNextFileW (in: hFindFile=0x4d47d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.427] FindNextFileW (in: hFindFile=0x4d47d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.428] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.428] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\uk-UA", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned="C:\\Boot\\uk-UA\\bootmgr.exe.mui" [0054.428] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.428] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.436] FindNextFileW (in: hFindFile=0x4d47d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.436] FindClose (in: hFindFile=0x4d47d8 | out: hFindFile=0x4d47d8) returned 1 [0054.436] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="Windows") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="MSOCache") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="PerfLogs") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="DVD Maker") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="Internet Explorer") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="Reference Assemblies") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="Windows Defender") returned 1 [0054.436] lstrcmpW (lpString1="zh-CN", lpString2="Windows Mail") returned 1 [0054.437] lstrcmpW (lpString1="zh-CN", lpString2="Windows Media Player") returned 1 [0054.437] lstrcmpW (lpString1="zh-CN", lpString2="Windows NT") returned 1 [0054.437] lstrcmpW (lpString1="zh-CN", lpString2="Windows Sidebar") returned 1 [0054.437] lstrcmpW (lpString1="zh-CN", lpString2="Startup") returned 1 [0054.437] lstrcmpW (lpString1="zh-CN", lpString2="Temp") returned 1 [0054.437] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="zh-CN" | out: pszDest="C:\\Boot\\zh-CN") returned="C:\\Boot\\zh-CN" [0054.437] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-CN", pszFile="*.*" | out: pszDest="C:\\Boot\\zh-CN\\*.*") returned="C:\\Boot\\zh-CN\\*.*" [0054.437] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4798 [0054.437] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.437] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.437] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.437] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.438] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.438] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.438] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-CN", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0054.438] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.438] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.438] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.438] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.438] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-CN", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\zh-CN\\memtest.exe.mui") returned="C:\\Boot\\zh-CN\\memtest.exe.mui" [0054.439] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.439] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.440] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.440] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0054.440] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Windows") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="MSOCache") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="PerfLogs") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="DVD Maker") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Internet Explorer") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Reference Assemblies") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Windows Defender") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Windows Mail") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Windows Media Player") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Windows NT") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Windows Sidebar") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Startup") returned 1 [0054.440] lstrcmpW (lpString1="zh-HK", lpString2="Temp") returned 1 [0054.440] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="zh-HK" | out: pszDest="C:\\Boot\\zh-HK") returned="C:\\Boot\\zh-HK" [0054.441] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-HK", pszFile="*.*" | out: pszDest="C:\\Boot\\zh-HK\\*.*") returned="C:\\Boot\\zh-HK\\*.*" [0054.441] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4d58 [0054.441] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.441] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.441] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.441] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.441] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-HK", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0054.441] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.441] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.442] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.442] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.442] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-HK", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\zh-HK\\memtest.exe.mui") returned="C:\\Boot\\zh-HK\\memtest.exe.mui" [0054.442] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.442] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.451] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.451] FindClose (in: hFindFile=0x4d4d58 | out: hFindFile=0x4d4d58) returned 1 [0054.451] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Windows") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="MSOCache") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="PerfLogs") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="DVD Maker") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Internet Explorer") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Reference Assemblies") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Windows Defender") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Windows Mail") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Windows Media Player") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Windows NT") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Windows Sidebar") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Startup") returned 1 [0054.451] lstrcmpW (lpString1="zh-TW", lpString2="Temp") returned 1 [0054.451] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Boot", pszFile="zh-TW" | out: pszDest="C:\\Boot\\zh-TW") returned="C:\\Boot\\zh-TW" [0054.451] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-TW", pszFile="*.*" | out: pszDest="C:\\Boot\\zh-TW\\*.*") returned="C:\\Boot\\zh-TW\\*.*" [0054.451] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d48d8 [0054.451] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.451] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="MSOCache") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="PerfLogs") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="DVD Maker") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Internet Explorer") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Defender") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Mail") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Media Player") returned -1 [0054.451] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows NT") returned -1 [0054.452] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.452] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Startup") returned -1 [0054.452] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="Temp") returned -1 [0054.452] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-TW", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0054.452] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0054.452] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.453] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="MSOCache") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="PerfLogs") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="DVD Maker") returned 1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Internet Explorer") returned 1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Reference Assemblies") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Defender") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Mail") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Media Player") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows NT") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Windows Sidebar") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Startup") returned -1 [0054.453] lstrcmpW (lpString1="memtest.exe.mui", lpString2="Temp") returned -1 [0054.453] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Boot\\zh-TW", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\zh-TW\\memtest.exe.mui") returned="C:\\Boot\\zh-TW\\memtest.exe.mui" [0054.453] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0054.453] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.454] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0 [0054.454] FindClose (in: hFindFile=0x4d48d8 | out: hFindFile=0x4d48d8) returned 1 [0054.454] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 0 [0054.454] FindClose (in: hFindFile=0x4d4ed8 | out: hFindFile=0x4d4ed8) returned 1 [0054.455] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="..") returned 1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2=".") returned 1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Windows") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="MSOCache") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="PerfLogs") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="DVD Maker") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Internet Explorer") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Reference Assemblies") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Windows Defender") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Windows Mail") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Windows Media Player") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Windows NT") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Windows Sidebar") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Startup") returned -1 [0054.455] lstrcmpW (lpString1="bootmgr", lpString2="Temp") returned -1 [0054.455] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="bootmgr" | out: pszDest="C:\\bootmgr") returned="C:\\bootmgr" [0054.455] PathFindExtensionW (pszPath="bootmgr") returned="" [0054.455] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.467] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="..") returned 1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2=".") returned 1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Windows") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="MSOCache") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="PerfLogs") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="DVD Maker") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Internet Explorer") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Reference Assemblies") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Windows Defender") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Windows Mail") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Windows Media Player") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Windows NT") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Windows Sidebar") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Startup") returned -1 [0054.467] lstrcmpW (lpString1="BOOTNXT", lpString2="Temp") returned -1 [0054.467] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="BOOTNXT" | out: pszDest="C:\\BOOTNXT") returned="C:\\BOOTNXT" [0054.467] PathFindExtensionW (pszPath="BOOTNXT") returned="" [0054.467] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0054.483] GetFileSize (in: hFile=0x1fc, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1 [0054.483] CreateFileMappingW (hFile=0x1fc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1, lpName=0x0) returned 0x204 [0054.483] MapViewOfFile (hFileMappingObject=0x204, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0054.484] CloseHandle (hObject=0x204) returned 1 [0054.484] CloseHandle (hObject=0x1fc) returned 1 [0054.486] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0054.486] _wfopen (_FileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), _Mode="rb+") returned 0x76ea4c68 [0054.486] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0054.486] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0054.486] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0054.487] MoveFileW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\BOOTNXT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\bootnxt.[sepsis@protonmail.com].sepsis")) returned 1 [0054.487] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="MSOCache") returned -1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="PerfLogs") returned -1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="DVD Maker") returned -1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Internet Explorer") returned -1 [0054.487] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Reference Assemblies") returned -1 [0054.488] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Windows Defender") returned -1 [0054.488] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Windows Mail") returned -1 [0054.488] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Windows Media Player") returned -1 [0054.488] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Windows NT") returned -1 [0054.488] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Windows Sidebar") returned -1 [0054.488] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Startup") returned -1 [0054.488] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="Temp") returned -1 [0054.488] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="BOOTSECT.BAK" | out: pszDest="C:\\BOOTSECT.BAK") returned="C:\\BOOTSECT.BAK" [0054.488] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0054.488] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.488] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="MSOCache") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="PerfLogs") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="DVD Maker") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Internet Explorer") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Reference Assemblies") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Windows Defender") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Windows Mail") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Windows Media Player") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Windows NT") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Windows Sidebar") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Startup") returned -1 [0054.488] lstrcmpW (lpString1="Documents and Settings", lpString2="Temp") returned -1 [0054.488] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="Documents and Settings" | out: pszDest="C:\\Documents and Settings") returned="C:\\Documents and Settings" [0054.488] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Documents and Settings", pszFile="*.*" | out: pszDest="C:\\Documents and Settings\\*.*") returned="C:\\Documents and Settings\\*.*" [0054.488] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*", lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 0xffffffff [0054.489] FindNextFileW (in: hFindFile=0xffffffff, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 0 [0054.489] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0054.489] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="MSOCache") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="PerfLogs") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="DVD Maker") returned 1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Internet Explorer") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Reference Assemblies") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Windows Defender") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Windows Mail") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Windows Media Player") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Windows NT") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Windows Sidebar") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Startup") returned -1 [0054.489] lstrcmpW (lpString1="hiberfil.sys", lpString2="Temp") returned -1 [0054.489] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="hiberfil.sys" | out: pszDest="C:\\hiberfil.sys") returned="C:\\hiberfil.sys" [0054.489] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0054.489] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.489] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.489] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0054.490] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0054.490] lstrcmpW (lpString1="MSOCache", lpString2="Windows") returned -1 [0054.490] lstrcmpW (lpString1="MSOCache", lpString2="MSOCache") returned 0 [0054.490] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="..") returned 1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2=".") returned 1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="MSOCache") returned 1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="PerfLogs") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="DVD Maker") returned 1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Internet Explorer") returned 1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Reference Assemblies") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Windows Defender") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Windows Mail") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Windows Media Player") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Windows NT") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Windows Sidebar") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Startup") returned -1 [0054.490] lstrcmpW (lpString1="pagefile.sys", lpString2="Temp") returned -1 [0054.490] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="pagefile.sys" | out: pszDest="C:\\pagefile.sys") returned="C:\\pagefile.sys" [0054.490] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0054.490] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0054.491] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.491] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0054.491] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0054.491] lstrcmpW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0054.491] lstrcmpW (lpString1="PerfLogs", lpString2="MSOCache") returned 1 [0054.491] lstrcmpW (lpString1="PerfLogs", lpString2="PerfLogs") returned 0 [0054.491] FindNextFileW (in: hFindFile=0x4d4e98, lpFindFileData=0x2acf650 | out: lpFindFileData=0x2acf650) returned 1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="..") returned 1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2=".") returned 1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="Windows") returned -1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="MSOCache") returned 1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="PerfLogs") returned 1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="DVD Maker") returned 1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="Internet Explorer") returned 1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="Reference Assemblies") returned -1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="Windows Defender") returned -1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="Windows Mail") returned -1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="Windows Media Player") returned -1 [0054.491] lstrcmpW (lpString1="Program Files", lpString2="Windows NT") returned -1 [0054.492] lstrcmpW (lpString1="Program Files", lpString2="Windows Sidebar") returned -1 [0054.492] lstrcmpW (lpString1="Program Files", lpString2="Startup") returned -1 [0054.492] lstrcmpW (lpString1="Program Files", lpString2="Temp") returned -1 [0054.492] PathCombineW (in: pszDest=0x2acf8a0, pszDir="C:\\", pszFile="Program Files" | out: pszDest="C:\\Program Files") returned="C:\\Program Files" [0054.492] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Program Files", pszFile="*.*" | out: pszDest="C:\\Program Files\\*.*") returned="C:\\Program Files\\*.*" [0054.492] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*", lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 0x4d4898 [0054.492] FindNextFileW (in: hFindFile=0x4d4898, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.492] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.492] FindNextFileW (in: hFindFile=0x4d4898, lpFindFileData=0x2acefd0 | out: lpFindFileData=0x2acefd0) returned 1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Windows") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="MSOCache") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="PerfLogs") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="DVD Maker") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Internet Explorer") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Reference Assemblies") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Windows Defender") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Windows Mail") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Windows Media Player") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Windows NT") returned -1 [0054.492] lstrcmpW (lpString1="Common Files", lpString2="Windows Sidebar") returned -1 [0054.493] lstrcmpW (lpString1="Common Files", lpString2="Startup") returned -1 [0054.493] lstrcmpW (lpString1="Common Files", lpString2="Temp") returned -1 [0054.493] PathCombineW (in: pszDest=0x2acf220, pszDir="C:\\Program Files", pszFile="Common Files" | out: pszDest="C:\\Program Files\\Common Files") returned="C:\\Program Files\\Common Files" [0054.493] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Program Files\\Common Files", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\*.*") returned="C:\\Program Files\\Common Files\\*.*" [0054.493] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 0x4d4d98 [0054.493] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.493] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="..") returned 1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2=".") returned 1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Windows") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="MSOCache") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="PerfLogs") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="DVD Maker") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Internet Explorer") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Reference Assemblies") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Windows Defender") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Windows Mail") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Windows Media Player") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Windows NT") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Windows Sidebar") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Startup") returned -1 [0054.493] lstrcmpW (lpString1="DESIGNER", lpString2="Temp") returned -1 [0054.493] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Program Files\\Common Files", pszFile="DESIGNER" | out: pszDest="C:\\Program Files\\Common Files\\DESIGNER") returned="C:\\Program Files\\Common Files\\DESIGNER" [0054.493] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\DESIGNER", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned="C:\\Program Files\\Common Files\\DESIGNER\\*.*" [0054.493] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 0x4d4958 [0054.495] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0054.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.495] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="..") returned 1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2=".") returned 1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Windows") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="MSOCache") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="PerfLogs") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="DVD Maker") returned 1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Internet Explorer") returned 1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Reference Assemblies") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Windows Defender") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Windows Mail") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Windows Media Player") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Windows NT") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Windows Sidebar") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Startup") returned -1 [0054.495] lstrcmpW (lpString1="MSADDNDR.OLB", lpString2="Temp") returned -1 [0054.495] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\DESIGNER", pszFile="MSADDNDR.OLB" | out: pszDest="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" [0054.495] PathFindExtensionW (pszPath="MSADDNDR.OLB") returned=".OLB" [0054.495] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x214 [0054.496] GetFileSize (in: hFile=0x214, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3e70 [0054.496] CreateFileMappingW (hFile=0x214, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e70, lpName=0x0) returned 0x24c [0054.496] MapViewOfFile (hFileMappingObject=0x24c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0054.523] CloseHandle (hObject=0x24c) returned 1 [0054.523] CloseHandle (hObject=0x214) returned 1 [0054.527] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0054.527] _wfopen (_FileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), _Mode="rb+") returned 0x76ea4c68 [0054.528] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0054.528] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0054.528] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0054.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), lpNewFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.[sepsis@protonmail.com].sepsis")) returned 1 [0054.531] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 0 [0054.531] FindClose (in: hFindFile=0x4d4958 | out: hFindFile=0x4d4958) returned 1 [0054.531] FindNextFileW (in: hFindFile=0x4d4d98, lpFindFileData=0x2ace950 | out: lpFindFileData=0x2ace950) returned 1 [0054.531] lstrcmpW (lpString1="microsoft shared", lpString2="..") returned 1 [0054.531] lstrcmpW (lpString1="microsoft shared", lpString2=".") returned 1 [0054.531] lstrcmpW (lpString1="microsoft shared", lpString2="Windows") returned -1 [0054.531] lstrcmpW (lpString1="microsoft shared", lpString2="MSOCache") returned -1 [0054.531] lstrcmpW (lpString1="microsoft shared", lpString2="PerfLogs") returned -1 [0054.531] lstrcmpW (lpString1="microsoft shared", lpString2="DVD Maker") returned 1 [0054.531] lstrcmpW (lpString1="microsoft shared", lpString2="Internet Explorer") returned 1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Reference Assemblies") returned -1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Windows Defender") returned -1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Windows Mail") returned -1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Windows Media Player") returned -1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Windows NT") returned -1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Windows Sidebar") returned -1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Startup") returned -1 [0054.532] lstrcmpW (lpString1="microsoft shared", lpString2="Temp") returned -1 [0054.532] PathCombineW (in: pszDest=0x2aceba0, pszDir="C:\\Program Files\\Common Files", pszFile="microsoft shared" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared") returned="C:\\Program Files\\Common Files\\microsoft shared" [0054.532] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\*.*" [0054.532] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\*.*", lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 0x4d4b58 [0054.532] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0054.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.532] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0054.532] lstrcmpW (lpString1="ClickToRun", lpString2="..") returned 1 [0054.532] lstrcmpW (lpString1="ClickToRun", lpString2=".") returned 1 [0054.532] lstrcmpW (lpString1="ClickToRun", lpString2="Windows") returned -1 [0054.532] lstrcmpW (lpString1="ClickToRun", lpString2="MSOCache") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="PerfLogs") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="DVD Maker") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Internet Explorer") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Reference Assemblies") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Windows Defender") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Windows Mail") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Windows Media Player") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Windows NT") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Windows Sidebar") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Startup") returned -1 [0054.533] lstrcmpW (lpString1="ClickToRun", lpString2="Temp") returned -1 [0054.533] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="ClickToRun" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun" [0054.533] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*" [0054.533] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4958 [0054.543] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0054.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.543] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0054.543] FindClose (in: hFindFile=0x4d4958 | out: hFindFile=0x4d4958) returned 1 [0054.543] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0054.543] lstrcmpW (lpString1="DW", lpString2="..") returned 1 [0054.543] lstrcmpW (lpString1="DW", lpString2=".") returned 1 [0054.543] lstrcmpW (lpString1="DW", lpString2="Windows") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="MSOCache") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="PerfLogs") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="DVD Maker") returned 1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Internet Explorer") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Reference Assemblies") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Windows Defender") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Windows Mail") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Windows Media Player") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Windows NT") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Windows Sidebar") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Startup") returned -1 [0054.544] lstrcmpW (lpString1="DW", lpString2="Temp") returned -1 [0054.544] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="DW" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\DW") returned="C:\\Program Files\\Common Files\\microsoft shared\\DW" [0054.544] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\DW", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\DW\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\DW\\*.*" [0054.544] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4a98 [0054.546] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0054.546] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.546] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="..") returned 1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2=".") returned 1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Windows") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="MSOCache") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="PerfLogs") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="DVD Maker") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Internet Explorer") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Reference Assemblies") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Windows Defender") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Windows Mail") returned -1 [0054.546] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Windows Media Player") returned -1 [0054.547] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Windows NT") returned -1 [0054.547] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Windows Sidebar") returned -1 [0054.547] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Startup") returned -1 [0054.547] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="Temp") returned -1 [0054.547] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\DW", pszFile="DBGHELP.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DBGHELP.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DBGHELP.DLL" [0054.547] PathFindExtensionW (pszPath="DBGHELP.DLL") returned=".DLL" [0054.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0054.548] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x14e760 [0054.548] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14e760, lpName=0x0) returned 0x248 [0054.548] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0054.767] CloseHandle (hObject=0x248) returned 1 [0054.767] CloseHandle (hObject=0x24c) returned 1 [0054.955] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0054.964] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), _Mode="rb+") returned 0x76ea4c68 [0054.965] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0054.965] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0054.965] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0054.991] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DBGHELP.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0054.991] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="..") returned 1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2=".") returned 1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="MSOCache") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="PerfLogs") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="DVD Maker") returned 1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Internet Explorer") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Reference Assemblies") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Windows Defender") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Windows Mail") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Windows Media Player") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Windows NT") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Windows Sidebar") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Startup") returned -1 [0054.991] lstrcmpW (lpString1="DW20.EXE", lpString2="Temp") returned -1 [0054.991] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\DW", pszFile="DW20.EXE" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DW20.EXE") returned="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DW20.EXE" [0054.991] PathFindExtensionW (pszPath="DW20.EXE") returned=".EXE" [0054.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0054.996] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xf38d0 [0054.996] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf38d0, lpName=0x0) returned 0x248 [0054.996] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0055.363] CloseHandle (hObject=0x248) returned 1 [0055.363] CloseHandle (hObject=0x24c) returned 1 [0055.483] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0055.487] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), _Mode="rb+") returned 0x76ea4c68 [0055.487] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0055.487] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0055.487] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0055.770] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DW20.EXE.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.[sepsis@protonmail.com].sepsis")) returned 1 [0055.771] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="..") returned 1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2=".") returned 1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Windows") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="MSOCache") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="PerfLogs") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="DVD Maker") returned 1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Internet Explorer") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Reference Assemblies") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Windows Defender") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Windows Mail") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Windows Media Player") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Windows NT") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Windows Sidebar") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Startup") returned -1 [0055.771] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="Temp") returned -1 [0055.771] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\DW", pszFile="DWTRIG20.EXE" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DWTRIG20.EXE") returned="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DWTRIG20.EXE" [0055.771] PathFindExtensionW (pszPath="DWTRIG20.EXE") returned=".EXE" [0055.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0055.778] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8f8e8 [0055.778] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8f8e8, lpName=0x0) returned 0x248 [0055.778] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0056.078] CloseHandle (hObject=0x248) returned 1 [0056.079] CloseHandle (hObject=0x24c) returned 1 [0056.150] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0056.153] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), _Mode="rb+") returned 0x76ea4c68 [0056.153] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0056.153] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0056.153] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0056.163] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\DW\\DWTRIG20.EXE.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.[sepsis@protonmail.com].sepsis")) returned 1 [0056.178] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0056.178] FindClose (in: hFindFile=0x4d4a98 | out: hFindFile=0x4d4a98) returned 1 [0056.178] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="..") returned 1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2=".") returned 1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="Windows") returned -1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="MSOCache") returned -1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="PerfLogs") returned -1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="DVD Maker") returned 1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="Internet Explorer") returned -1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="Reference Assemblies") returned -1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="Windows Defender") returned -1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="Windows Mail") returned -1 [0056.178] lstrcmpW (lpString1="EQUATION", lpString2="Windows Media Player") returned -1 [0056.179] lstrcmpW (lpString1="EQUATION", lpString2="Windows NT") returned -1 [0056.179] lstrcmpW (lpString1="EQUATION", lpString2="Windows Sidebar") returned -1 [0056.179] lstrcmpW (lpString1="EQUATION", lpString2="Startup") returned -1 [0056.179] lstrcmpW (lpString1="EQUATION", lpString2="Temp") returned -1 [0056.179] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="EQUATION" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION" [0056.179] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\*.*" [0056.179] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4a18 [0056.179] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0056.179] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.179] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0056.179] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0056.179] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Windows") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="MSOCache") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="PerfLogs") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="DVD Maker") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Internet Explorer") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Reference Assemblies") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Windows Defender") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Windows Mail") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Windows Media Player") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Windows NT") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Windows Sidebar") returned -1 [0056.179] lstrcmpW (lpString1="1033", lpString2="Startup") returned -1 [0056.180] lstrcmpW (lpString1="1033", lpString2="Temp") returned -1 [0056.180] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION", pszFile="1033" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033" [0056.180] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\*.*" [0056.180] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4998 [0056.199] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0056.199] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.199] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="..") returned 1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2=".") returned 1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Windows") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="MSOCache") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="PerfLogs") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="DVD Maker") returned 1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Internet Explorer") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Reference Assemblies") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Windows Defender") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Windows Mail") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Windows Media Player") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Windows NT") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Windows Sidebar") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Startup") returned -1 [0056.199] lstrcmpW (lpString1="EEINTL.DLL", lpString2="Temp") returned -1 [0056.199] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033", pszFile="EEINTL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" [0056.199] PathFindExtensionW (pszPath="EEINTL.DLL") returned=".DLL" [0056.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0056.200] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xfa60 [0056.200] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa60, lpName=0x0) returned 0x244 [0056.200] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0056.237] CloseHandle (hObject=0x244) returned 1 [0056.237] CloseHandle (hObject=0x248) returned 1 [0056.243] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0056.244] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), _Mode="rb+") returned 0x76ea4c68 [0056.244] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0056.244] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0056.244] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0056.246] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0056.247] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0056.247] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0056.247] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="..") returned 1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2=".") returned 1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Windows") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="MSOCache") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="PerfLogs") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="DVD Maker") returned 1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Internet Explorer") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Reference Assemblies") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Windows Defender") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Windows Mail") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Windows Media Player") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Windows NT") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Windows Sidebar") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Startup") returned -1 [0056.247] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="Temp") returned -1 [0056.247] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION", pszFile="EQNEDT32.CNT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.CNT") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.CNT" [0056.247] PathFindExtensionW (pszPath="EQNEDT32.CNT") returned=".CNT" [0056.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0056.250] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9fd [0056.250] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9fd, lpName=0x0) returned 0x248 [0056.250] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0056.261] CloseHandle (hObject=0x248) returned 1 [0056.261] CloseHandle (hObject=0x24c) returned 1 [0056.273] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0056.273] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), _Mode="rb+") returned 0x76ea4c68 [0056.273] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0056.273] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0056.273] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0056.274] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.CNT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.[sepsis@protonmail.com].sepsis")) returned 1 [0056.275] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="..") returned 1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2=".") returned 1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Windows") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="MSOCache") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="PerfLogs") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="DVD Maker") returned 1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Internet Explorer") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Reference Assemblies") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Windows Defender") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Windows Mail") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Windows Media Player") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Windows NT") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Windows Sidebar") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Startup") returned -1 [0056.275] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="Temp") returned -1 [0056.275] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION", pszFile="EQNEDT32.EXE" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" [0056.275] PathFindExtensionW (pszPath="EQNEDT32.EXE") returned=".EXE" [0056.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0056.275] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x84a48 [0056.275] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x84a48, lpName=0x0) returned 0x248 [0056.275] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0056.781] CloseHandle (hObject=0x248) returned 1 [0056.781] CloseHandle (hObject=0x24c) returned 1 [0056.858] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0056.860] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), _Mode="rb+") returned 0x76ea4c68 [0056.860] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0056.861] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0056.861] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0056.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.[sepsis@protonmail.com].sepsis")) returned 1 [0056.891] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="..") returned 1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2=".") returned 1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Windows") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="MSOCache") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="PerfLogs") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="DVD Maker") returned 1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Internet Explorer") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Reference Assemblies") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Windows Defender") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Windows Mail") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Windows Media Player") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Windows NT") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Windows Sidebar") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Startup") returned -1 [0056.891] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="Temp") returned -1 [0056.891] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION", pszFile="eqnedt32.exe.manifest" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\eqnedt32.exe.manifest") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\eqnedt32.exe.manifest" [0056.891] PathFindExtensionW (pszPath="eqnedt32.exe.manifest") returned=".manifest" [0056.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0056.892] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x236 [0056.892] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x236, lpName=0x0) returned 0x248 [0056.892] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0056.893] CloseHandle (hObject=0x248) returned 1 [0056.893] CloseHandle (hObject=0x24c) returned 1 [0056.895] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0056.895] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), _Mode="rb+") returned 0x76ea4c68 [0056.895] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0056.895] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0056.895] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0056.945] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\eqnedt32.exe.manifest.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.[sepsis@protonmail.com].sepsis")) returned 1 [0056.982] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="..") returned 1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2=".") returned 1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Windows") returned -1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="MSOCache") returned -1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="PerfLogs") returned -1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="DVD Maker") returned 1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Internet Explorer") returned -1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Reference Assemblies") returned -1 [0056.982] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Windows Defender") returned -1 [0056.983] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Windows Mail") returned -1 [0056.983] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Windows Media Player") returned -1 [0056.983] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Windows NT") returned -1 [0056.983] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Windows Sidebar") returned -1 [0056.983] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Startup") returned -1 [0056.983] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="Temp") returned -1 [0056.983] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION", pszFile="EQNEDT32.HLP" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.HLP") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.HLP" [0056.983] PathFindExtensionW (pszPath="EQNEDT32.HLP") returned=".HLP" [0056.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0056.983] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2b0b7 [0056.983] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2b0b7, lpName=0x0) returned 0x248 [0056.983] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0056.993] CloseHandle (hObject=0x248) returned 1 [0056.993] CloseHandle (hObject=0x24c) returned 1 [0057.004] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0057.007] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), _Mode="rb+") returned 0x76ea4c68 [0057.007] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0057.007] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0057.007] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0057.021] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.HLP.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.[sepsis@protonmail.com].sepsis")) returned 1 [0057.033] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="..") returned 1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2=".") returned 1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Windows") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="MSOCache") returned 1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="PerfLogs") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="DVD Maker") returned 1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Internet Explorer") returned 1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Reference Assemblies") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Windows Defender") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Windows Mail") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Windows Media Player") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Windows NT") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Windows Sidebar") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Startup") returned -1 [0057.033] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="Temp") returned -1 [0057.033] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION", pszFile="MTEXTRA.TTF" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\MTEXTRA.TTF") returned="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\MTEXTRA.TTF" [0057.033] PathFindExtensionW (pszPath="MTEXTRA.TTF") returned=".TTF" [0057.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0057.033] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1de8 [0057.034] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1de8, lpName=0x0) returned 0x248 [0057.034] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0057.035] CloseHandle (hObject=0x248) returned 1 [0057.035] CloseHandle (hObject=0x24c) returned 1 [0057.040] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0057.040] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), _Mode="rb+") returned 0x76ea4c68 [0057.041] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0057.041] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0057.041] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0057.042] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\EQUATION\\MTEXTRA.TTF.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.[sepsis@protonmail.com].sepsis")) returned 1 [0057.042] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0057.042] FindClose (in: hFindFile=0x4d4a18 | out: hFindFile=0x4d4a18) returned 1 [0057.043] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="..") returned 1 [0057.043] lstrcmpW (lpString1="EURO", lpString2=".") returned 1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Windows") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="MSOCache") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="PerfLogs") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="DVD Maker") returned 1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Internet Explorer") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Reference Assemblies") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Windows Defender") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Windows Mail") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Windows Media Player") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Windows NT") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Windows Sidebar") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Startup") returned -1 [0057.043] lstrcmpW (lpString1="EURO", lpString2="Temp") returned -1 [0057.043] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="EURO" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EURO") returned="C:\\Program Files\\Common Files\\microsoft shared\\EURO" [0057.043] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EURO", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\*.*" [0057.043] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4e58 [0057.052] FindNextFileW (in: hFindFile=0x4d4e58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0057.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.053] FindNextFileW (in: hFindFile=0x4d4e58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="..") returned 1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2=".") returned 1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Windows") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="MSOCache") returned 1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="PerfLogs") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="DVD Maker") returned 1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Internet Explorer") returned 1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Reference Assemblies") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Windows Defender") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Windows Mail") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Windows Media Player") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Windows NT") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Windows Sidebar") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Startup") returned -1 [0057.053] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="Temp") returned -1 [0057.053] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\EURO", pszFile="MSOEURO.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\MSOEURO.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\MSOEURO.DLL" [0057.053] PathFindExtensionW (pszPath="MSOEURO.DLL") returned=".DLL" [0057.053] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0057.053] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7e70 [0057.053] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e70, lpName=0x0) returned 0x248 [0057.053] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0057.194] CloseHandle (hObject=0x248) returned 1 [0057.194] CloseHandle (hObject=0x24c) returned 1 [0057.203] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0057.203] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), _Mode="rb+") returned 0x76ea4c68 [0057.204] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0057.204] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0057.204] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0057.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\EURO\\MSOEURO.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0057.205] FindNextFileW (in: hFindFile=0x4d4e58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0057.205] FindClose (in: hFindFile=0x4d4e58 | out: hFindFile=0x4d4e58) returned 1 [0057.205] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="..") returned 1 [0057.205] lstrcmpW (lpString1="Filters", lpString2=".") returned 1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Windows") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="MSOCache") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="PerfLogs") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="DVD Maker") returned 1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Internet Explorer") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Reference Assemblies") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Windows Defender") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Windows Mail") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Windows Media Player") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Windows NT") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Windows Sidebar") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Startup") returned -1 [0057.205] lstrcmpW (lpString1="Filters", lpString2="Temp") returned -1 [0057.205] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="Filters" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Filters") returned="C:\\Program Files\\Common Files\\microsoft shared\\Filters" [0057.205] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Filters", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\*.*" [0057.205] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4a58 [0057.206] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0057.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.206] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="..") returned 1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2=".") returned 1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Windows") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="MSOCache") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="PerfLogs") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="DVD Maker") returned 1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Internet Explorer") returned 1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Reference Assemblies") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Windows Defender") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Windows Mail") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Windows Media Player") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Windows NT") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Windows Sidebar") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Startup") returned -1 [0057.206] lstrcmpW (lpString1="msgfilt.dll", lpString2="Temp") returned -1 [0057.206] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Filters", pszFile="msgfilt.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\msgfilt.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\msgfilt.dll" [0057.207] PathFindExtensionW (pszPath="msgfilt.dll") returned=".dll" [0057.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0057.207] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9c80 [0057.207] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9c80, lpName=0x0) returned 0x248 [0057.207] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0057.342] CloseHandle (hObject=0x248) returned 1 [0057.343] CloseHandle (hObject=0x24c) returned 1 [0057.355] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0057.355] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), _Mode="rb+") returned 0x76ea4c68 [0057.355] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0057.355] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0057.355] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0057.356] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\msgfilt.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0057.357] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="..") returned 1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2=".") returned 1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Windows") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="MSOCache") returned 1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="PerfLogs") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="DVD Maker") returned 1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Internet Explorer") returned 1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Reference Assemblies") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Windows Defender") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Windows Mail") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Windows Media Player") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Windows NT") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Windows Sidebar") returned -1 [0057.357] lstrcmpW (lpString1="odffilt.dll", lpString2="Startup") returned -1 [0057.358] lstrcmpW (lpString1="odffilt.dll", lpString2="Temp") returned -1 [0057.358] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Filters", pszFile="odffilt.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\odffilt.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\odffilt.dll" [0057.358] PathFindExtensionW (pszPath="odffilt.dll") returned=".dll" [0057.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0057.358] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xeb2a0 [0057.358] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xeb2a0, lpName=0x0) returned 0x248 [0057.359] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0058.020] CloseHandle (hObject=0x248) returned 1 [0058.020] CloseHandle (hObject=0x24c) returned 1 [0058.164] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0058.168] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), _Mode="rb+") returned 0x76ea4c68 [0058.168] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0058.168] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0058.168] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0058.182] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\odffilt.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0058.195] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="..") returned 1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2=".") returned 1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Windows") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="MSOCache") returned 1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="PerfLogs") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="DVD Maker") returned 1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Internet Explorer") returned 1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Reference Assemblies") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Windows Defender") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Windows Mail") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Windows Media Player") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Windows NT") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Windows Sidebar") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Startup") returned -1 [0058.195] lstrcmpW (lpString1="offfiltx.dll", lpString2="Temp") returned -1 [0058.195] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Filters", pszFile="offfiltx.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\offfiltx.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\offfiltx.dll" [0058.195] PathFindExtensionW (pszPath="offfiltx.dll") returned=".dll" [0058.196] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0058.198] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x11fa98 [0058.198] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11fa98, lpName=0x0) returned 0x248 [0058.198] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0058.434] CloseHandle (hObject=0x248) returned 1 [0058.434] CloseHandle (hObject=0x24c) returned 1 [0058.673] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0058.722] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), _Mode="rb+") returned 0x76ea4c68 [0058.722] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0058.722] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0058.722] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0058.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\offfiltx.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0058.737] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="..") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2=".") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Windows") returned -1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="MSOCache") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="PerfLogs") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="DVD Maker") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Internet Explorer") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Reference Assemblies") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Windows Defender") returned -1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Windows Mail") returned -1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Windows Media Player") returned -1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Windows NT") returned -1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Windows Sidebar") returned -1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Startup") returned 1 [0058.737] lstrcmpW (lpString1="VISFILT.DLL", lpString2="Temp") returned 1 [0058.737] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Filters", pszFile="VISFILT.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\VISFILT.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\VISFILT.DLL" [0058.737] PathFindExtensionW (pszPath="VISFILT.DLL") returned=".DLL" [0058.737] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0058.737] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3be4c0 [0058.737] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x248 [0058.737] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0059.092] CloseHandle (hObject=0x248) returned 1 [0059.093] CloseHandle (hObject=0x24c) returned 1 [0059.551] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0059.563] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), _Mode="rb+") returned 0x76ea4c68 [0059.564] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0059.564] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0059.564] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0059.628] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Filters\\VISFILT.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0059.628] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0059.628] FindClose (in: hFindFile=0x4d4a58 | out: hFindFile=0x4d4a58) returned 1 [0059.628] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="..") returned 1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2=".") returned 1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Windows") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="MSOCache") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="PerfLogs") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="DVD Maker") returned 1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Internet Explorer") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Reference Assemblies") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Windows Defender") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Windows Mail") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Windows Media Player") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Windows NT") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Windows Sidebar") returned -1 [0059.628] lstrcmpW (lpString1="GRPHFLT", lpString2="Startup") returned -1 [0059.629] lstrcmpW (lpString1="GRPHFLT", lpString2="Temp") returned -1 [0059.629] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="GRPHFLT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT" [0059.629] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\*.*" [0059.629] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4bd8 [0059.641] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0059.642] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.642] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="..") returned 1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2=".") returned 1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Windows") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="MSOCache") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="PerfLogs") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="DVD Maker") returned 1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Internet Explorer") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Reference Assemblies") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Windows Defender") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Windows Mail") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Windows Media Player") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Windows NT") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Windows Sidebar") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Startup") returned -1 [0059.642] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="Temp") returned -1 [0059.642] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="EPSIMP32.FLT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\EPSIMP32.FLT") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\EPSIMP32.FLT" [0059.642] PathFindExtensionW (pszPath="EPSIMP32.FLT") returned=".FLT" [0059.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0059.642] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9ec98 [0059.642] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9ec98, lpName=0x0) returned 0x248 [0059.642] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0060.008] CloseHandle (hObject=0x248) returned 1 [0060.008] CloseHandle (hObject=0x24c) returned 1 [0060.096] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0060.099] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), _Mode="rb+") returned 0x76ea4c68 [0060.099] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0060.099] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0060.099] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0060.110] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\EPSIMP32.FLT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.[sepsis@protonmail.com].sepsis")) returned 1 [0060.110] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0060.110] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="..") returned 1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2=".") returned 1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Windows") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="MSOCache") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="PerfLogs") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="DVD Maker") returned 1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Internet Explorer") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Reference Assemblies") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Windows Defender") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Windows Mail") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Windows Media Player") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Windows NT") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Windows Sidebar") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Startup") returned -1 [0060.111] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="Temp") returned -1 [0060.111] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="GIFIMP32.FLT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\GIFIMP32.FLT") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\GIFIMP32.FLT" [0060.111] PathFindExtensionW (pszPath="GIFIMP32.FLT") returned=".FLT" [0060.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0060.112] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3e888 [0060.112] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e888, lpName=0x0) returned 0x248 [0060.112] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0060.539] CloseHandle (hObject=0x248) returned 1 [0060.539] CloseHandle (hObject=0x24c) returned 1 [0060.623] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0060.624] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), _Mode="rb+") returned 0x76ea4c68 [0060.624] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0060.624] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0060.624] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0060.628] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\GIFIMP32.FLT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.[sepsis@protonmail.com].sepsis")) returned 1 [0060.629] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="..") returned 1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2=".") returned 1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Windows") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="MSOCache") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="PerfLogs") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="DVD Maker") returned 1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Internet Explorer") returned 1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Reference Assemblies") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Windows Defender") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Windows Mail") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Windows Media Player") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Windows NT") returned -1 [0060.629] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Windows Sidebar") returned -1 [0060.630] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Startup") returned -1 [0060.630] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="Temp") returned -1 [0060.630] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="JPEGIM32.FLT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\JPEGIM32.FLT") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\JPEGIM32.FLT" [0060.630] PathFindExtensionW (pszPath="JPEGIM32.FLT") returned=".FLT" [0060.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0060.630] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39090 [0060.630] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x39090, lpName=0x0) returned 0x248 [0060.631] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0061.025] CloseHandle (hObject=0x248) returned 1 [0061.025] CloseHandle (hObject=0x24c) returned 1 [0061.047] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0061.048] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), _Mode="rb+") returned 0x76ea4c68 [0061.048] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.048] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.048] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.062] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\JPEGIM32.FLT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.[sepsis@protonmail.com].sepsis")) returned 1 [0061.063] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="..") returned 1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2=".") returned 1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Windows") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="MSOCache") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="PerfLogs") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="DVD Maker") returned 1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Internet Explorer") returned 1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Reference Assemblies") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Windows Defender") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Windows Mail") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Windows Media Player") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Windows NT") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Windows Sidebar") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Startup") returned -1 [0061.063] lstrcmpW (lpString1="MS.EPS", lpString2="Temp") returned -1 [0061.063] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="MS.EPS" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.EPS") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.EPS" [0061.063] PathFindExtensionW (pszPath="MS.EPS") returned=".EPS" [0061.063] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.064] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3adb [0061.064] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3adb, lpName=0x0) returned 0x248 [0061.064] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0061.108] CloseHandle (hObject=0x248) returned 1 [0061.108] CloseHandle (hObject=0x24c) returned 1 [0061.112] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0061.112] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), _Mode="rb+") returned 0x76ea4c68 [0061.113] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.113] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.113] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.114] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.EPS.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.[sepsis@protonmail.com].sepsis")) returned 1 [0061.115] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="..") returned 1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2=".") returned 1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Windows") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="MSOCache") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="PerfLogs") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="DVD Maker") returned 1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Internet Explorer") returned 1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Reference Assemblies") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Windows Defender") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Windows Mail") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Windows Media Player") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Windows NT") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Windows Sidebar") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Startup") returned -1 [0061.115] lstrcmpW (lpString1="MS.GIF", lpString2="Temp") returned -1 [0061.115] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="MS.GIF" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.GIF") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.GIF" [0061.115] PathFindExtensionW (pszPath="MS.GIF") returned=".GIF" [0061.115] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.116] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x42d [0061.116] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x42d, lpName=0x0) returned 0x248 [0061.116] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0061.121] CloseHandle (hObject=0x248) returned 1 [0061.121] CloseHandle (hObject=0x24c) returned 1 [0061.123] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0061.123] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), _Mode="rb+") returned 0x76ea4c68 [0061.123] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.123] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.123] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.125] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.GIF.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.[sepsis@protonmail.com].sepsis")) returned 1 [0061.125] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.125] lstrcmpW (lpString1="MS.JPG", lpString2="..") returned 1 [0061.125] lstrcmpW (lpString1="MS.JPG", lpString2=".") returned 1 [0061.125] lstrcmpW (lpString1="MS.JPG", lpString2="Windows") returned -1 [0061.125] lstrcmpW (lpString1="MS.JPG", lpString2="MSOCache") returned -1 [0061.125] lstrcmpW (lpString1="MS.JPG", lpString2="PerfLogs") returned -1 [0061.125] lstrcmpW (lpString1="MS.JPG", lpString2="DVD Maker") returned 1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Internet Explorer") returned 1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Reference Assemblies") returned -1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Windows Defender") returned -1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Windows Mail") returned -1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Windows Media Player") returned -1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Windows NT") returned -1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Windows Sidebar") returned -1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Startup") returned -1 [0061.126] lstrcmpW (lpString1="MS.JPG", lpString2="Temp") returned -1 [0061.126] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="MS.JPG" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.JPG") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.JPG" [0061.126] PathFindExtensionW (pszPath="MS.JPG") returned=".JPG" [0061.126] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.126] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x425 [0061.126] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x425, lpName=0x0) returned 0x248 [0061.126] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0061.126] CloseHandle (hObject=0x248) returned 1 [0061.127] CloseHandle (hObject=0x24c) returned 1 [0061.210] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0061.210] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), _Mode="rb+") returned 0x76ea4c68 [0061.210] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.210] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.210] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.220] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.JPG.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.[sepsis@protonmail.com].sepsis")) returned 1 [0061.221] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="..") returned 1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2=".") returned 1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="Windows") returned -1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="MSOCache") returned -1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="PerfLogs") returned -1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="DVD Maker") returned 1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="Internet Explorer") returned 1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="Reference Assemblies") returned -1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="Windows Defender") returned -1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="Windows Mail") returned -1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="Windows Media Player") returned -1 [0061.221] lstrcmpW (lpString1="MS.PNG", lpString2="Windows NT") returned -1 [0061.224] lstrcmpW (lpString1="MS.PNG", lpString2="Windows Sidebar") returned -1 [0061.224] lstrcmpW (lpString1="MS.PNG", lpString2="Startup") returned -1 [0061.224] lstrcmpW (lpString1="MS.PNG", lpString2="Temp") returned -1 [0061.224] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="MS.PNG" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.PNG") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.PNG" [0061.224] PathFindExtensionW (pszPath="MS.PNG") returned=".PNG" [0061.224] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.225] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x692 [0061.225] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x692, lpName=0x0) returned 0x248 [0061.225] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0061.225] CloseHandle (hObject=0x248) returned 1 [0061.225] CloseHandle (hObject=0x24c) returned 1 [0061.251] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0061.251] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), _Mode="rb+") returned 0x76ea4c68 [0061.252] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.252] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.252] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.252] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.PNG.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.[sepsis@protonmail.com].sepsis")) returned 1 [0061.254] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.254] lstrcmpW (lpString1="MS.WPG", lpString2="..") returned 1 [0061.254] lstrcmpW (lpString1="MS.WPG", lpString2=".") returned 1 [0061.254] lstrcmpW (lpString1="MS.WPG", lpString2="Windows") returned -1 [0061.254] lstrcmpW (lpString1="MS.WPG", lpString2="MSOCache") returned -1 [0061.254] lstrcmpW (lpString1="MS.WPG", lpString2="PerfLogs") returned -1 [0061.254] lstrcmpW (lpString1="MS.WPG", lpString2="DVD Maker") returned 1 [0061.254] lstrcmpW (lpString1="MS.WPG", lpString2="Internet Explorer") returned 1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Reference Assemblies") returned -1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Windows Defender") returned -1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Windows Mail") returned -1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Windows Media Player") returned -1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Windows NT") returned -1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Windows Sidebar") returned -1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Startup") returned -1 [0061.255] lstrcmpW (lpString1="MS.WPG", lpString2="Temp") returned -1 [0061.255] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="MS.WPG" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.WPG") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.WPG" [0061.255] PathFindExtensionW (pszPath="MS.WPG") returned=".WPG" [0061.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.255] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x566 [0061.255] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x566, lpName=0x0) returned 0x248 [0061.255] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0061.255] CloseHandle (hObject=0x248) returned 1 [0061.256] CloseHandle (hObject=0x24c) returned 1 [0061.265] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0061.265] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), _Mode="rb+") returned 0x76ea4c68 [0061.265] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.265] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.265] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.266] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\MS.WPG.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.[sepsis@protonmail.com].sepsis")) returned 1 [0061.266] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.266] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="..") returned 1 [0061.266] lstrcmpW (lpString1="PICTIM32.FLT", lpString2=".") returned 1 [0061.266] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Windows") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="MSOCache") returned 1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="PerfLogs") returned 1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="DVD Maker") returned 1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Internet Explorer") returned 1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Reference Assemblies") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Windows Defender") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Windows Mail") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Windows Media Player") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Windows NT") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Windows Sidebar") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Startup") returned -1 [0061.267] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="Temp") returned -1 [0061.267] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="PICTIM32.FLT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PICTIM32.FLT") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PICTIM32.FLT" [0061.267] PathFindExtensionW (pszPath="PICTIM32.FLT") returned=".FLT" [0061.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.268] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x12a98 [0061.268] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12a98, lpName=0x0) returned 0x248 [0061.268] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0061.506] CloseHandle (hObject=0x248) returned 1 [0061.506] CloseHandle (hObject=0x24c) returned 1 [0061.538] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0061.538] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), _Mode="rb+") returned 0x76ea4c68 [0061.538] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.539] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.539] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.541] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PICTIM32.FLT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.[sepsis@protonmail.com].sepsis")) returned 1 [0061.542] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="..") returned 1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2=".") returned 1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Windows") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="MSOCache") returned 1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="PerfLogs") returned 1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="DVD Maker") returned 1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Internet Explorer") returned 1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Reference Assemblies") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Windows Defender") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Windows Mail") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Windows Media Player") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Windows NT") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Windows Sidebar") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Startup") returned -1 [0061.542] lstrcmpW (lpString1="PNG32.FLT", lpString2="Temp") returned -1 [0061.542] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="PNG32.FLT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PNG32.FLT") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PNG32.FLT" [0061.542] PathFindExtensionW (pszPath="PNG32.FLT") returned=".FLT" [0061.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.543] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x43ea0 [0061.543] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x43ea0, lpName=0x0) returned 0x248 [0061.543] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0061.720] CloseHandle (hObject=0x248) returned 1 [0061.720] CloseHandle (hObject=0x24c) returned 1 [0061.781] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0061.783] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), _Mode="rb+") returned 0x76ea4c68 [0061.783] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.783] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.783] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.789] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\PNG32.FLT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.[sepsis@protonmail.com].sepsis")) returned 1 [0061.790] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="..") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2=".") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Windows") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="MSOCache") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="PerfLogs") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="DVD Maker") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Internet Explorer") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Reference Assemblies") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Windows Defender") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Windows Mail") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Windows Media Player") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Windows NT") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Windows Sidebar") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Startup") returned 1 [0061.790] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="Temp") returned 1 [0061.790] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT", pszFile="WPGIMP32.FLT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\WPGIMP32.FLT") returned="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\WPGIMP32.FLT" [0061.790] PathFindExtensionW (pszPath="WPGIMP32.FLT") returned=".FLT" [0061.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0061.791] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x41ea0 [0061.791] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x41ea0, lpName=0x0) returned 0x248 [0061.791] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0061.943] CloseHandle (hObject=0x248) returned 1 [0061.943] CloseHandle (hObject=0x24c) returned 1 [0061.964] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0061.967] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), _Mode="rb+") returned 0x76ea4c68 [0061.967] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0061.967] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0061.967] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0061.983] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\GRPHFLT\\WPGIMP32.FLT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.[sepsis@protonmail.com].sepsis")) returned 1 [0061.986] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0061.986] FindClose (in: hFindFile=0x4d4bd8 | out: hFindFile=0x4d4bd8) returned 1 [0061.986] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0061.986] lstrcmpW (lpString1="Help", lpString2="..") returned 1 [0061.986] lstrcmpW (lpString1="Help", lpString2=".") returned 1 [0061.986] lstrcmpW (lpString1="Help", lpString2="Windows") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="MSOCache") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="PerfLogs") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="DVD Maker") returned 1 [0061.986] lstrcmpW (lpString1="Help", lpString2="Internet Explorer") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="Reference Assemblies") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="Windows Defender") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="Windows Mail") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="Windows Media Player") returned -1 [0061.986] lstrcmpW (lpString1="Help", lpString2="Windows NT") returned -1 [0061.987] lstrcmpW (lpString1="Help", lpString2="Windows Sidebar") returned -1 [0061.987] lstrcmpW (lpString1="Help", lpString2="Startup") returned -1 [0061.987] lstrcmpW (lpString1="Help", lpString2="Temp") returned -1 [0061.987] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="Help" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help" [0061.987] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\*.*" [0061.987] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4d58 [0062.016] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0062.016] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.016] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="..") returned 1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2=".") returned 1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Windows") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="MSOCache") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="PerfLogs") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="DVD Maker") returned 1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Internet Explorer") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Reference Assemblies") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Windows Defender") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Windows Mail") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Windows Media Player") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Windows NT") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Windows Sidebar") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Startup") returned -1 [0062.017] lstrcmpW (lpString1="Hx.HxC", lpString2="Temp") returned -1 [0062.017] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="Hx.HxC" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxC") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxC" [0062.017] PathFindExtensionW (pszPath="Hx.HxC") returned=".HxC" [0062.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxC" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0062.018] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x323 [0062.018] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x323, lpName=0x0) returned 0x248 [0062.018] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0062.046] CloseHandle (hObject=0x248) returned 1 [0062.047] CloseHandle (hObject=0x24c) returned 1 [0062.115] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0062.116] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxC" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxc"), _Mode="rb+") returned 0x76ea4c68 [0062.116] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0062.116] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0062.116] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0062.120] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxC" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxc"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxC.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxc.[sepsis@protonmail.com].sepsis")) returned 1 [0062.120] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="..") returned 1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2=".") returned 1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Windows") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="MSOCache") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="PerfLogs") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="DVD Maker") returned 1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Internet Explorer") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Reference Assemblies") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Windows Defender") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Windows Mail") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Windows Media Player") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Windows NT") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Windows Sidebar") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Startup") returned -1 [0062.120] lstrcmpW (lpString1="Hx.HxT", lpString2="Temp") returned -1 [0062.120] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="Hx.HxT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxT") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxT" [0062.120] PathFindExtensionW (pszPath="Hx.HxT") returned=".HxT" [0062.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxT" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0062.121] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa9 [0062.121] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa9, lpName=0x0) returned 0x248 [0062.121] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0062.121] CloseHandle (hObject=0x248) returned 1 [0062.121] CloseHandle (hObject=0x24c) returned 1 [0062.127] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0062.128] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxT" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxt"), _Mode="rb+") returned 0x76ea4c68 [0062.128] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0062.128] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0062.128] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0062.132] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxT" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxt"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Hx.HxT.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hx.hxt.[sepsis@protonmail.com].sepsis")) returned 1 [0062.132] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="..") returned 1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2=".") returned 1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Windows") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="MSOCache") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="PerfLogs") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="DVD Maker") returned 1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Internet Explorer") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Reference Assemblies") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Windows Defender") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Windows Mail") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Windows Media Player") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Windows NT") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Windows Sidebar") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Startup") returned -1 [0062.132] lstrcmpW (lpString1="hxds.dll", lpString2="Temp") returned -1 [0062.132] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="hxds.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\hxds.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\hxds.dll" [0062.133] PathFindExtensionW (pszPath="hxds.dll") returned=".dll" [0062.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0062.133] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x12da90 [0062.133] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12da90, lpName=0x0) returned 0x248 [0062.133] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0062.974] CloseHandle (hObject=0x248) returned 1 [0062.974] CloseHandle (hObject=0x24c) returned 1 [0063.308] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0063.316] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), _Mode="rb+") returned 0x76ea4c68 [0063.317] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0063.317] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0063.317] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0063.386] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\hxds.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0063.386] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="..") returned 1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2=".") returned 1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Windows") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="MSOCache") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="PerfLogs") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="DVD Maker") returned 1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Internet Explorer") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Reference Assemblies") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Windows Defender") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Windows Mail") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Windows Media Player") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Windows NT") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Windows Sidebar") returned -1 [0063.386] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Startup") returned -1 [0063.387] lstrcmpW (lpString1="HxRuntime.HxS", lpString2="Temp") returned -1 [0063.387] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="HxRuntime.HxS" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS" [0063.387] PathFindExtensionW (pszPath="HxRuntime.HxS") returned=".HxS" [0063.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxruntime.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0063.387] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6ce8 [0063.387] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6ce8, lpName=0x0) returned 0x248 [0063.387] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0063.392] CloseHandle (hObject=0x248) returned 1 [0063.392] CloseHandle (hObject=0x24c) returned 1 [0063.395] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0063.396] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxruntime.hxs"), _Mode="rb+") returned 0x76ea4c68 [0063.396] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0063.396] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0063.396] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0063.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxruntime.hxs"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxruntime.hxs.[sepsis@protonmail.com].sepsis")) returned 1 [0063.398] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="..") returned 1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2=".") returned 1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="Windows") returned -1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="MSOCache") returned -1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="PerfLogs") returned -1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="DVD Maker") returned 1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="Internet Explorer") returned 1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="Reference Assemblies") returned -1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="Windows Defender") returned -1 [0063.398] lstrcmpW (lpString1="itircl55.dll", lpString2="Windows Mail") returned -1 [0063.399] lstrcmpW (lpString1="itircl55.dll", lpString2="Windows Media Player") returned -1 [0063.399] lstrcmpW (lpString1="itircl55.dll", lpString2="Windows NT") returned -1 [0063.399] lstrcmpW (lpString1="itircl55.dll", lpString2="Windows Sidebar") returned -1 [0063.399] lstrcmpW (lpString1="itircl55.dll", lpString2="Startup") returned -1 [0063.399] lstrcmpW (lpString1="itircl55.dll", lpString2="Temp") returned -1 [0063.399] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="itircl55.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\itircl55.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\itircl55.dll" [0063.399] PathFindExtensionW (pszPath="itircl55.dll") returned=".dll" [0063.399] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\itircl55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0063.399] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1b8888 [0063.399] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x248 [0063.399] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0063.665] CloseHandle (hObject=0x248) returned 1 [0063.665] CloseHandle (hObject=0x24c) returned 1 [0064.107] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0064.116] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\itircl55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), _Mode="rb+") returned 0x76ea4c68 [0064.117] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0064.117] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0064.117] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0064.161] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\itircl55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\itircl55.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0064.161] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.161] lstrcmpW (lpString1="Keywords.HxK", lpString2="..") returned 1 [0064.161] lstrcmpW (lpString1="Keywords.HxK", lpString2=".") returned 1 [0064.161] lstrcmpW (lpString1="Keywords.HxK", lpString2="Windows") returned -1 [0064.161] lstrcmpW (lpString1="Keywords.HxK", lpString2="MSOCache") returned -1 [0064.161] lstrcmpW (lpString1="Keywords.HxK", lpString2="PerfLogs") returned -1 [0064.161] lstrcmpW (lpString1="Keywords.HxK", lpString2="DVD Maker") returned 1 [0064.161] lstrcmpW (lpString1="Keywords.HxK", lpString2="Internet Explorer") returned 1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Reference Assemblies") returned -1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Windows Defender") returned -1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Windows Mail") returned -1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Windows Media Player") returned -1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Windows NT") returned -1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Windows Sidebar") returned -1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Startup") returned -1 [0064.162] lstrcmpW (lpString1="Keywords.HxK", lpString2="Temp") returned -1 [0064.162] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="Keywords.HxK" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Keywords.HxK") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Keywords.HxK" [0064.162] PathFindExtensionW (pszPath="Keywords.HxK") returned=".HxK" [0064.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Keywords.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\keywords.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0064.163] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x85 [0064.163] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x85, lpName=0x0) returned 0x248 [0064.163] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0064.168] CloseHandle (hObject=0x248) returned 1 [0064.168] CloseHandle (hObject=0x24c) returned 1 [0064.170] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0064.170] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Keywords.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\keywords.hxk"), _Mode="rb+") returned 0x76ea4c68 [0064.170] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0064.170] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0064.170] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0064.171] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Keywords.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\keywords.hxk"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\Keywords.HxK.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\keywords.hxk.[sepsis@protonmail.com].sepsis")) returned 1 [0064.172] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="..") returned 1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2=".") returned 1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Windows") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="MSOCache") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="PerfLogs") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="DVD Maker") returned 1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Internet Explorer") returned 1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Reference Assemblies") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Windows Defender") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Windows Mail") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Windows Media Player") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Windows NT") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Windows Sidebar") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Startup") returned -1 [0064.172] lstrcmpW (lpString1="msitss55.dll", lpString2="Temp") returned -1 [0064.172] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="msitss55.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\msitss55.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\msitss55.dll" [0064.172] PathFindExtensionW (pszPath="msitss55.dll") returned=".dll" [0064.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0064.173] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6c8b0 [0064.173] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c8b0, lpName=0x0) returned 0x248 [0064.173] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0064.491] CloseHandle (hObject=0x248) returned 1 [0064.491] CloseHandle (hObject=0x24c) returned 1 [0064.586] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0064.587] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), _Mode="rb+") returned 0x76ea4c68 [0064.587] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0064.587] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0064.587] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0064.591] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\msitss55.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0064.592] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="..") returned 1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2=".") returned 1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Windows") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="MSOCache") returned 1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="PerfLogs") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="DVD Maker") returned 1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Internet Explorer") returned 1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Reference Assemblies") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Windows Defender") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Windows Mail") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Windows Media Player") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Windows NT") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Windows Sidebar") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Startup") returned -1 [0064.592] lstrcmpW (lpString1="NamedUrls.HxK", lpString2="Temp") returned -1 [0064.592] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\Help", pszFile="NamedUrls.HxK" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\Help\\NamedUrls.HxK") returned="C:\\Program Files\\Common Files\\microsoft shared\\Help\\NamedUrls.HxK" [0064.592] PathFindExtensionW (pszPath="NamedUrls.HxK") returned=".HxK" [0064.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\NamedUrls.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\namedurls.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0064.593] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8c [0064.593] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8c, lpName=0x0) returned 0x248 [0064.593] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0064.595] CloseHandle (hObject=0x248) returned 1 [0064.595] CloseHandle (hObject=0x24c) returned 1 [0064.598] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0064.598] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\NamedUrls.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\namedurls.hxk"), _Mode="rb+") returned 0x76ea4c68 [0064.598] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0064.598] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0064.598] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0064.599] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\NamedUrls.HxK" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\namedurls.hxk"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\Help\\NamedUrls.HxK.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\namedurls.hxk.[sepsis@protonmail.com].sepsis")) returned 1 [0064.599] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0064.599] FindClose (in: hFindFile=0x4d4d58 | out: hFindFile=0x4d4d58) returned 1 [0064.599] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0064.599] lstrcmpW (lpString1="ink", lpString2="..") returned 1 [0064.599] lstrcmpW (lpString1="ink", lpString2=".") returned 1 [0064.599] lstrcmpW (lpString1="ink", lpString2="Windows") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="MSOCache") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="PerfLogs") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="DVD Maker") returned 1 [0064.599] lstrcmpW (lpString1="ink", lpString2="Internet Explorer") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="Reference Assemblies") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="Windows Defender") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="Windows Mail") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="Windows Media Player") returned -1 [0064.599] lstrcmpW (lpString1="ink", lpString2="Windows NT") returned -1 [0064.600] lstrcmpW (lpString1="ink", lpString2="Windows Sidebar") returned -1 [0064.600] lstrcmpW (lpString1="ink", lpString2="Startup") returned -1 [0064.600] lstrcmpW (lpString1="ink", lpString2="Temp") returned -1 [0064.600] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="ink" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink" [0064.600] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*" [0064.600] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4818 [0064.767] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.784] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.784] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="..") returned 1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2=".") returned 1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Windows") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="MSOCache") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="PerfLogs") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="DVD Maker") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Internet Explorer") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Reference Assemblies") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Windows Defender") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Windows Mail") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Windows Media Player") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Windows NT") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Windows Sidebar") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Startup") returned -1 [0064.784] lstrcmpW (lpString1="Alphabet.xml", lpString2="Temp") returned -1 [0064.784] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="Alphabet.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" [0064.784] PathFindExtensionW (pszPath="Alphabet.xml") returned=".xml" [0064.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.825] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.825] lstrcmpW (lpString1="ar-SA", lpString2="..") returned 1 [0064.825] lstrcmpW (lpString1="ar-SA", lpString2=".") returned 1 [0064.825] lstrcmpW (lpString1="ar-SA", lpString2="Windows") returned -1 [0064.825] lstrcmpW (lpString1="ar-SA", lpString2="MSOCache") returned -1 [0064.825] lstrcmpW (lpString1="ar-SA", lpString2="PerfLogs") returned -1 [0064.825] lstrcmpW (lpString1="ar-SA", lpString2="DVD Maker") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Internet Explorer") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Reference Assemblies") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Windows Defender") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Windows Mail") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Windows Media Player") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Windows NT") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Windows Sidebar") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Startup") returned -1 [0064.826] lstrcmpW (lpString1="ar-SA", lpString2="Temp") returned -1 [0064.826] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ar-SA" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA" [0064.826] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*" [0064.826] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d49d8 [0064.826] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.826] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.826] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0064.827] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0064.827] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" [0064.827] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0064.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.828] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0064.828] FindClose (in: hFindFile=0x4d49d8 | out: hFindFile=0x4d49d8) returned 1 [0064.828] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="..") returned 1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2=".") returned 1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="Windows") returned -1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="MSOCache") returned -1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="PerfLogs") returned -1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="DVD Maker") returned -1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="Internet Explorer") returned -1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="Reference Assemblies") returned -1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="Windows Defender") returned -1 [0064.828] lstrcmpW (lpString1="bg-BG", lpString2="Windows Mail") returned -1 [0064.829] lstrcmpW (lpString1="bg-BG", lpString2="Windows Media Player") returned -1 [0064.829] lstrcmpW (lpString1="bg-BG", lpString2="Windows NT") returned -1 [0064.829] lstrcmpW (lpString1="bg-BG", lpString2="Windows Sidebar") returned -1 [0064.829] lstrcmpW (lpString1="bg-BG", lpString2="Startup") returned -1 [0064.829] lstrcmpW (lpString1="bg-BG", lpString2="Temp") returned -1 [0064.829] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="bg-BG" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG" [0064.829] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*" [0064.829] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4a18 [0064.829] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.829] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.829] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0064.829] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0064.830] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0064.830] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0064.830] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.830] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0064.830] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0064.830] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" [0064.830] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0064.830] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.830] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0064.830] FindClose (in: hFindFile=0x4d4a18 | out: hFindFile=0x4d4a18) returned 1 [0064.830] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.830] lstrcmpW (lpString1="Content.xml", lpString2="..") returned 1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2=".") returned 1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Windows") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="MSOCache") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="PerfLogs") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="DVD Maker") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Internet Explorer") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Reference Assemblies") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Windows Defender") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Windows Mail") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Windows Media Player") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Windows NT") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Windows Sidebar") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Startup") returned -1 [0064.831] lstrcmpW (lpString1="Content.xml", lpString2="Temp") returned -1 [0064.831] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="Content.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" [0064.831] PathFindExtensionW (pszPath="Content.xml") returned=".xml" [0064.831] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.832] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="MSOCache") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="PerfLogs") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="DVD Maker") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Internet Explorer") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Reference Assemblies") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Defender") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Mail") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Media Player") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Windows NT") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Windows Sidebar") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Startup") returned -1 [0064.832] lstrcmpW (lpString1="cs-CZ", lpString2="Temp") returned -1 [0064.832] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="cs-CZ" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ" [0064.832] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*" [0064.832] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d49d8 [0064.832] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.833] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0064.833] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0064.833] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" [0064.833] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0064.833] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.842] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0064.842] FindClose (in: hFindFile=0x4d49d8 | out: hFindFile=0x4d49d8) returned 1 [0064.842] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.842] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0064.842] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Windows") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="MSOCache") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="PerfLogs") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="DVD Maker") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Internet Explorer") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Reference Assemblies") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Windows Defender") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Windows Mail") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Windows Media Player") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Windows NT") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Windows Sidebar") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Startup") returned -1 [0064.843] lstrcmpW (lpString1="da-DK", lpString2="Temp") returned -1 [0064.843] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="da-DK" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK" [0064.843] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*" [0064.843] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4c58 [0064.844] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.844] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.844] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0064.844] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0064.844] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" [0064.844] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0064.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.928] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0064.928] FindClose (in: hFindFile=0x4d4c58 | out: hFindFile=0x4d4c58) returned 1 [0064.928] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.928] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0064.928] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0064.928] lstrcmpW (lpString1="de-DE", lpString2="Windows") returned -1 [0064.928] lstrcmpW (lpString1="de-DE", lpString2="MSOCache") returned -1 [0064.928] lstrcmpW (lpString1="de-DE", lpString2="PerfLogs") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="DVD Maker") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Internet Explorer") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Reference Assemblies") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Windows Defender") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Windows Mail") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Windows Media Player") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Windows NT") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Windows Sidebar") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Startup") returned -1 [0064.929] lstrcmpW (lpString1="de-DE", lpString2="Temp") returned -1 [0064.929] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="de-DE" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE" [0064.929] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*" [0064.929] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4998 [0064.930] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.930] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.930] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.930] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0064.931] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0064.931] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" [0064.931] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0064.931] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.932] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0064.932] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0064.932] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Windows") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="MSOCache") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="PerfLogs") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="DVD Maker") returned 1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Internet Explorer") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Reference Assemblies") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Windows Defender") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Windows Mail") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Windows Media Player") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Windows NT") returned -1 [0064.932] lstrcmpW (lpString1="el-GR", lpString2="Windows Sidebar") returned -1 [0064.933] lstrcmpW (lpString1="el-GR", lpString2="Startup") returned -1 [0064.933] lstrcmpW (lpString1="el-GR", lpString2="Temp") returned -1 [0064.933] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="el-GR" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR" [0064.933] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*" [0064.933] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d49d8 [0064.933] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.933] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.933] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.933] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0064.933] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0064.933] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0064.933] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0064.933] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0064.934] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0064.934] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" [0064.934] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0064.934] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.934] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0064.935] FindClose (in: hFindFile=0x4d49d8 | out: hFindFile=0x4d49d8) returned 1 [0064.935] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="..") returned 1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2=".") returned 1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Windows") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="MSOCache") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="PerfLogs") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="DVD Maker") returned 1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Internet Explorer") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Reference Assemblies") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Windows Defender") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Windows Mail") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Windows Media Player") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Windows NT") returned -1 [0064.935] lstrcmpW (lpString1="en-GB", lpString2="Windows Sidebar") returned -1 [0064.936] lstrcmpW (lpString1="en-GB", lpString2="Startup") returned -1 [0064.936] lstrcmpW (lpString1="en-GB", lpString2="Temp") returned -1 [0064.936] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="en-GB" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB" [0064.936] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*" [0064.936] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4dd8 [0064.936] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.936] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.936] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.936] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0064.936] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0064.936] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0064.936] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0064.936] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0064.937] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0064.937] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" [0064.937] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0064.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-GB\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-gb\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.938] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0064.938] FindClose (in: hFindFile=0x4d4dd8 | out: hFindFile=0x4d4dd8) returned 1 [0064.938] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0064.938] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0064.938] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0064.938] lstrcmpW (lpString1="en-US", lpString2="Windows") returned -1 [0064.938] lstrcmpW (lpString1="en-US", lpString2="MSOCache") returned -1 [0064.938] lstrcmpW (lpString1="en-US", lpString2="PerfLogs") returned -1 [0064.938] lstrcmpW (lpString1="en-US", lpString2="DVD Maker") returned 1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Internet Explorer") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Reference Assemblies") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Windows Defender") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Windows Mail") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Windows Media Player") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Windows NT") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Windows Sidebar") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Startup") returned -1 [0064.939] lstrcmpW (lpString1="en-US", lpString2="Temp") returned -1 [0064.939] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US" [0064.939] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0064.939] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4d18 [0064.954] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.955] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0064.955] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="..") returned 1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2=".") returned 1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Windows") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="MSOCache") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="PerfLogs") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="DVD Maker") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Internet Explorer") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Reference Assemblies") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Windows Defender") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Windows Mail") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Windows Media Player") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Windows NT") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Windows Sidebar") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Startup") returned -1 [0064.955] lstrcmpW (lpString1="boxed-correct.avi", lpString2="Temp") returned -1 [0064.956] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="boxed-correct.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" [0064.956] PathFindExtensionW (pszPath="boxed-correct.avi") returned=".avi" [0064.956] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.957] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="..") returned 1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2=".") returned 1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Windows") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="MSOCache") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="PerfLogs") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="DVD Maker") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Internet Explorer") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Reference Assemblies") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Windows Defender") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Windows Mail") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Windows Media Player") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Windows NT") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Windows Sidebar") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Startup") returned -1 [0064.957] lstrcmpW (lpString1="boxed-delete.avi", lpString2="Temp") returned -1 [0064.957] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="boxed-delete.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" [0064.957] PathFindExtensionW (pszPath="boxed-delete.avi") returned=".avi" [0064.957] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.958] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.958] lstrcmpW (lpString1="boxed-join.avi", lpString2="..") returned 1 [0064.958] lstrcmpW (lpString1="boxed-join.avi", lpString2=".") returned 1 [0064.958] lstrcmpW (lpString1="boxed-join.avi", lpString2="Windows") returned -1 [0064.958] lstrcmpW (lpString1="boxed-join.avi", lpString2="MSOCache") returned -1 [0064.958] lstrcmpW (lpString1="boxed-join.avi", lpString2="PerfLogs") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="DVD Maker") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Internet Explorer") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Reference Assemblies") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Windows Defender") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Windows Mail") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Windows Media Player") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Windows NT") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Windows Sidebar") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Startup") returned -1 [0064.959] lstrcmpW (lpString1="boxed-join.avi", lpString2="Temp") returned -1 [0064.959] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="boxed-join.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" [0064.959] PathFindExtensionW (pszPath="boxed-join.avi") returned=".avi" [0064.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.959] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.959] lstrcmpW (lpString1="boxed-split.avi", lpString2="..") returned 1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2=".") returned 1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Windows") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="MSOCache") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="PerfLogs") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="DVD Maker") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Internet Explorer") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Reference Assemblies") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Windows Defender") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Windows Mail") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Windows Media Player") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Windows NT") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Windows Sidebar") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Startup") returned -1 [0064.960] lstrcmpW (lpString1="boxed-split.avi", lpString2="Temp") returned -1 [0064.960] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="boxed-split.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" [0064.960] PathFindExtensionW (pszPath="boxed-split.avi") returned=".avi" [0064.960] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.961] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="..") returned 1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2=".") returned 1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Windows") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="MSOCache") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="PerfLogs") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="DVD Maker") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Internet Explorer") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Reference Assemblies") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Windows Defender") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Windows Mail") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Windows Media Player") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Windows NT") returned -1 [0064.961] lstrcmpW (lpString1="correct.avi", lpString2="Windows Sidebar") returned -1 [0064.962] lstrcmpW (lpString1="correct.avi", lpString2="Startup") returned -1 [0064.962] lstrcmpW (lpString1="correct.avi", lpString2="Temp") returned -1 [0064.962] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="correct.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" [0064.962] PathFindExtensionW (pszPath="correct.avi") returned=".avi" [0064.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.962] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2="..") returned 1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2=".") returned 1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2="Windows") returned -1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2="MSOCache") returned -1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2="PerfLogs") returned -1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2="DVD Maker") returned -1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2="Internet Explorer") returned -1 [0064.962] lstrcmpW (lpString1="delete.avi", lpString2="Reference Assemblies") returned -1 [0064.963] lstrcmpW (lpString1="delete.avi", lpString2="Windows Defender") returned -1 [0064.963] lstrcmpW (lpString1="delete.avi", lpString2="Windows Mail") returned -1 [0064.963] lstrcmpW (lpString1="delete.avi", lpString2="Windows Media Player") returned -1 [0064.963] lstrcmpW (lpString1="delete.avi", lpString2="Windows NT") returned -1 [0064.963] lstrcmpW (lpString1="delete.avi", lpString2="Windows Sidebar") returned -1 [0064.963] lstrcmpW (lpString1="delete.avi", lpString2="Startup") returned -1 [0064.963] lstrcmpW (lpString1="delete.avi", lpString2="Temp") returned -1 [0064.963] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="delete.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" [0064.963] PathFindExtensionW (pszPath="delete.avi") returned=".avi" [0064.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.963] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.963] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="..") returned 1 [0064.963] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2=".") returned 1 [0064.963] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="MSOCache") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="PerfLogs") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="DVD Maker") returned 1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Internet Explorer") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Reference Assemblies") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows Defender") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows Mail") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows Media Player") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows NT") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows Sidebar") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Startup") returned -1 [0064.964] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="Temp") returned -1 [0064.964] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="FlickLearningWizard.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" [0064.964] PathFindExtensionW (pszPath="FlickLearningWizard.exe.mui") returned=".mui" [0064.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.964] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.964] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="..") returned 1 [0064.964] lstrcmpW (lpString1="InkObj.dll.mui", lpString2=".") returned 1 [0064.964] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Windows") returned -1 [0064.964] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="MSOCache") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="PerfLogs") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="DVD Maker") returned 1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Internet Explorer") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Reference Assemblies") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Windows Defender") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Windows Mail") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Windows Media Player") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Windows NT") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Startup") returned -1 [0064.965] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="Temp") returned -1 [0064.965] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="InkObj.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" [0064.965] PathFindExtensionW (pszPath="InkObj.dll.mui") returned=".mui" [0064.965] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.965] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.965] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="..") returned 1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2=".") returned 1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Windows") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="MSOCache") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="PerfLogs") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="DVD Maker") returned 1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Internet Explorer") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Reference Assemblies") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Windows Defender") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Windows Mail") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Windows Media Player") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Windows NT") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Windows Sidebar") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Startup") returned -1 [0064.966] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="Temp") returned -1 [0064.966] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="InputPersonalization.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" [0064.967] PathFindExtensionW (pszPath="InputPersonalization.exe.mui") returned=".mui" [0064.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.967] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="..") returned 1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2=".") returned 1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows") returned -1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="MSOCache") returned -1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="PerfLogs") returned -1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="DVD Maker") returned 1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Internet Explorer") returned 1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Reference Assemblies") returned -1 [0064.967] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows Defender") returned -1 [0064.968] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows Mail") returned -1 [0064.968] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows Media Player") returned -1 [0064.968] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows NT") returned -1 [0064.968] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.968] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Startup") returned -1 [0064.968] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Temp") returned -1 [0064.968] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="IPSEventLogMsg.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" [0064.968] PathFindExtensionW (pszPath="IPSEventLogMsg.dll.mui") returned=".mui" [0064.968] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.968] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.968] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="..") returned 1 [0064.968] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2=".") returned 1 [0064.968] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows") returned -1 [0064.968] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="MSOCache") returned -1 [0064.968] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="PerfLogs") returned -1 [0064.968] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="DVD Maker") returned 1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Internet Explorer") returned 1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Reference Assemblies") returned -1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows Defender") returned -1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows Mail") returned -1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows Media Player") returned -1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows NT") returned -1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Startup") returned -1 [0064.969] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Temp") returned -1 [0064.969] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="IpsMigrationPlugin.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" [0064.969] PathFindExtensionW (pszPath="IpsMigrationPlugin.dll.mui") returned=".mui" [0064.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.969] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.969] lstrcmpW (lpString1="join.avi", lpString2="..") returned 1 [0064.971] lstrcmpW (lpString1="join.avi", lpString2=".") returned 1 [0064.971] lstrcmpW (lpString1="join.avi", lpString2="Windows") returned -1 [0064.971] lstrcmpW (lpString1="join.avi", lpString2="MSOCache") returned -1 [0064.971] lstrcmpW (lpString1="join.avi", lpString2="PerfLogs") returned -1 [0064.971] lstrcmpW (lpString1="join.avi", lpString2="DVD Maker") returned 1 [0064.971] lstrcmpW (lpString1="join.avi", lpString2="Internet Explorer") returned 1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Reference Assemblies") returned -1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Windows Defender") returned -1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Windows Mail") returned -1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Windows Media Player") returned -1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Windows NT") returned -1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Windows Sidebar") returned -1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Startup") returned -1 [0064.972] lstrcmpW (lpString1="join.avi", lpString2="Temp") returned -1 [0064.972] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="join.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" [0064.972] PathFindExtensionW (pszPath="join.avi") returned=".avi" [0064.972] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.973] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.973] lstrcmpW (lpString1="micaut.dll.mui", lpString2="..") returned 1 [0064.973] lstrcmpW (lpString1="micaut.dll.mui", lpString2=".") returned 1 [0064.973] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Windows") returned -1 [0064.973] lstrcmpW (lpString1="micaut.dll.mui", lpString2="MSOCache") returned -1 [0064.973] lstrcmpW (lpString1="micaut.dll.mui", lpString2="PerfLogs") returned -1 [0064.973] lstrcmpW (lpString1="micaut.dll.mui", lpString2="DVD Maker") returned 1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Internet Explorer") returned 1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Reference Assemblies") returned -1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Windows Defender") returned -1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Windows Mail") returned -1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Windows Media Player") returned -1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Windows NT") returned -1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Startup") returned -1 [0064.974] lstrcmpW (lpString1="micaut.dll.mui", lpString2="Temp") returned -1 [0064.974] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="micaut.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" [0064.974] PathFindExtensionW (pszPath="micaut.dll.mui") returned=".mui" [0064.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.975] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="..") returned 1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2=".") returned 1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Windows") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="MSOCache") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="PerfLogs") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="DVD Maker") returned 1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Internet Explorer") returned 1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Reference Assemblies") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Windows Defender") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Windows Mail") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Windows Media Player") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Windows NT") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Windows Sidebar") returned -1 [0064.975] lstrcmpW (lpString1="mip.exe.mui", lpString2="Startup") returned -1 [0064.976] lstrcmpW (lpString1="mip.exe.mui", lpString2="Temp") returned -1 [0064.976] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="mip.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" [0064.976] PathFindExtensionW (pszPath="mip.exe.mui") returned=".mui" [0064.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.976] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.976] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="..") returned 1 [0064.976] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2=".") returned 1 [0064.976] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Windows") returned -1 [0064.976] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="MSOCache") returned -1 [0064.976] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="PerfLogs") returned -1 [0064.976] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="DVD Maker") returned 1 [0064.976] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Internet Explorer") returned 1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Reference Assemblies") returned -1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Windows Defender") returned -1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Windows Mail") returned -1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Windows Media Player") returned -1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Windows NT") returned -1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Startup") returned -1 [0064.977] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="Temp") returned -1 [0064.977] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="mshwLatin.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" [0064.977] PathFindExtensionW (pszPath="mshwLatin.dll.mui") returned=".mui" [0064.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.977] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.977] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="..") returned 1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2=".") returned 1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Windows") returned -1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="MSOCache") returned 1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="PerfLogs") returned 1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="DVD Maker") returned 1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Internet Explorer") returned 1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Windows Defender") returned -1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Windows Mail") returned -1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Windows Media Player") returned -1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Windows NT") returned -1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Startup") returned -1 [0064.978] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="Temp") returned -1 [0064.978] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="rtscom.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" [0064.978] PathFindExtensionW (pszPath="rtscom.dll.mui") returned=".mui" [0064.979] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.979] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="..") returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2=".") returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Windows") returned -1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="MSOCache") returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="PerfLogs") returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="DVD Maker") returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Internet Explorer") returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Reference Assemblies") returned 1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Windows Defender") returned -1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Windows Mail") returned -1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Windows Media Player") returned -1 [0064.979] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Windows NT") returned -1 [0064.980] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Windows Sidebar") returned -1 [0064.980] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Startup") returned -1 [0064.980] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="Temp") returned -1 [0064.980] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="ShapeCollector.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" [0064.980] PathFindExtensionW (pszPath="ShapeCollector.exe.mui") returned=".mui" [0064.980] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.980] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.980] lstrcmpW (lpString1="split.avi", lpString2="..") returned 1 [0064.980] lstrcmpW (lpString1="split.avi", lpString2=".") returned 1 [0064.980] lstrcmpW (lpString1="split.avi", lpString2="Windows") returned -1 [0064.980] lstrcmpW (lpString1="split.avi", lpString2="MSOCache") returned 1 [0064.980] lstrcmpW (lpString1="split.avi", lpString2="PerfLogs") returned 1 [0064.980] lstrcmpW (lpString1="split.avi", lpString2="DVD Maker") returned 1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Internet Explorer") returned 1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Reference Assemblies") returned 1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Windows Defender") returned -1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Windows Mail") returned -1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Windows Media Player") returned -1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Windows NT") returned -1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Windows Sidebar") returned -1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Startup") returned -1 [0064.981] lstrcmpW (lpString1="split.avi", lpString2="Temp") returned -1 [0064.981] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="split.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" [0064.981] PathFindExtensionW (pszPath="split.avi") returned=".avi" [0064.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.982] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.982] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="..") returned 1 [0064.982] lstrcmpW (lpString1="tabskb.dll.mui", lpString2=".") returned 1 [0064.982] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Windows") returned -1 [0064.982] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="MSOCache") returned 1 [0064.982] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="PerfLogs") returned 1 [0064.982] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="DVD Maker") returned 1 [0064.982] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Internet Explorer") returned 1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Windows Defender") returned -1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Windows Mail") returned -1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Windows Media Player") returned -1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Windows NT") returned -1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Startup") returned 1 [0064.983] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="Temp") returned -1 [0064.983] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="tabskb.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" [0064.983] PathFindExtensionW (pszPath="tabskb.dll.mui") returned=".mui" [0064.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.984] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="..") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2=".") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Windows") returned -1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="MSOCache") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="PerfLogs") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="DVD Maker") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Internet Explorer") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Reference Assemblies") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Windows Defender") returned -1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Windows Mail") returned -1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Windows Media Player") returned -1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Windows NT") returned -1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Windows Sidebar") returned -1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Startup") returned 1 [0064.984] lstrcmpW (lpString1="TabTip.exe.mui", lpString2="Temp") returned -1 [0064.984] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="TabTip.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" [0064.984] PathFindExtensionW (pszPath="TabTip.exe.mui") returned=".mui" [0064.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TabTip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabtip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.985] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="..") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2=".") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Windows") returned -1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="MSOCache") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="PerfLogs") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="DVD Maker") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Internet Explorer") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Windows Defender") returned -1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Windows Mail") returned -1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Windows Media Player") returned -1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Windows NT") returned -1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Startup") returned 1 [0064.985] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="Temp") returned 1 [0064.985] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="TipBand.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui" [0064.985] PathFindExtensionW (pszPath="TipBand.dll.mui") returned=".mui" [0064.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.986] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0064.986] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="..") returned 1 [0064.986] lstrcmpW (lpString1="TipRes.dll.mui", lpString2=".") returned 1 [0064.986] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Windows") returned -1 [0064.986] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="MSOCache") returned 1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="PerfLogs") returned 1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="DVD Maker") returned 1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Internet Explorer") returned 1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Reference Assemblies") returned 1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Windows Defender") returned -1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Windows Mail") returned -1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Windows Media Player") returned -1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Windows NT") returned -1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Windows Sidebar") returned -1 [0064.987] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Startup") returned 1 [0064.988] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="Temp") returned 1 [0064.988] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="TipRes.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" [0064.988] PathFindExtensionW (pszPath="TipRes.dll.mui") returned=".mui" [0064.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.001] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.001] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.002] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" [0065.002] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.002] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="..") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2=".") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Windows") returned -1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="MSOCache") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="PerfLogs") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="DVD Maker") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Internet Explorer") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Windows Defender") returned -1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Windows Mail") returned -1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Windows Media Player") returned -1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Windows NT") returned -1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Startup") returned 1 [0065.002] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="Temp") returned 1 [0065.002] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US", pszFile="TipTsf.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" [0065.003] PathFindExtensionW (pszPath="TipTsf.dll.mui") returned=".mui" [0065.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.003] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.003] FindClose (in: hFindFile=0x4d4d18 | out: hFindFile=0x4d4d18) returned 1 [0065.004] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Windows") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="MSOCache") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="PerfLogs") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="DVD Maker") returned 1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Internet Explorer") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Reference Assemblies") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Windows Defender") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Windows Mail") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Windows Media Player") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Windows NT") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Windows Sidebar") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Startup") returned -1 [0065.004] lstrcmpW (lpString1="es-ES", lpString2="Temp") returned -1 [0065.004] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="es-ES" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES" [0065.004] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*" [0065.005] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4ad8 [0065.005] FindNextFileW (in: hFindFile=0x4d4ad8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.005] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.005] FindNextFileW (in: hFindFile=0x4d4ad8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.005] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.006] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.006] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.006] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.006] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.006] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.006] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.006] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.006] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" [0065.006] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.007] FindNextFileW (in: hFindFile=0x4d4ad8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.007] FindClose (in: hFindFile=0x4d4ad8 | out: hFindFile=0x4d4ad8) returned 1 [0065.007] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.007] lstrcmpW (lpString1="et-EE", lpString2="..") returned 1 [0065.007] lstrcmpW (lpString1="et-EE", lpString2=".") returned 1 [0065.007] lstrcmpW (lpString1="et-EE", lpString2="Windows") returned -1 [0065.007] lstrcmpW (lpString1="et-EE", lpString2="MSOCache") returned -1 [0065.007] lstrcmpW (lpString1="et-EE", lpString2="PerfLogs") returned -1 [0065.007] lstrcmpW (lpString1="et-EE", lpString2="DVD Maker") returned 1 [0065.007] lstrcmpW (lpString1="et-EE", lpString2="Internet Explorer") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Reference Assemblies") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Windows Defender") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Windows Mail") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Windows Media Player") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Windows NT") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Windows Sidebar") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Startup") returned -1 [0065.008] lstrcmpW (lpString1="et-EE", lpString2="Temp") returned -1 [0065.008] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="et-EE" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE" [0065.008] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*" [0065.008] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4c98 [0065.008] FindNextFileW (in: hFindFile=0x4d4c98, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.009] FindNextFileW (in: hFindFile=0x4d4c98, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.009] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.010] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.010] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" [0065.010] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.010] FindNextFileW (in: hFindFile=0x4d4c98, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.010] FindClose (in: hFindFile=0x4d4c98 | out: hFindFile=0x4d4c98) returned 1 [0065.010] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.010] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0065.010] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0065.010] lstrcmpW (lpString1="fi-FI", lpString2="Windows") returned -1 [0065.010] lstrcmpW (lpString1="fi-FI", lpString2="MSOCache") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="PerfLogs") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="DVD Maker") returned 1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Internet Explorer") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Reference Assemblies") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Windows Defender") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Windows Mail") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Windows Media Player") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Windows NT") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Windows Sidebar") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Startup") returned -1 [0065.011] lstrcmpW (lpString1="fi-FI", lpString2="Temp") returned -1 [0065.011] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="fi-FI" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI" [0065.011] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*" [0065.011] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d48d8 [0065.012] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.012] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.012] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.012] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.013] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.013] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.013] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.013] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.013] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.013] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.013] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" [0065.013] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.043] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.043] FindClose (in: hFindFile=0x4d48d8 | out: hFindFile=0x4d48d8) returned 1 [0065.044] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="..") returned 1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2=".") returned 1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Windows") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="MSOCache") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="PerfLogs") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="DVD Maker") returned 1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Internet Explorer") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Reference Assemblies") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Windows Defender") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Windows Mail") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Windows Media Player") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Windows NT") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Windows Sidebar") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Startup") returned -1 [0065.044] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="Temp") returned -1 [0065.044] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="FlickAnimation.avi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" [0065.044] PathFindExtensionW (pszPath="FlickAnimation.avi") returned=".avi" [0065.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.045] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="..") returned 1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2=".") returned 1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Windows") returned -1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="MSOCache") returned -1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="PerfLogs") returned -1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="DVD Maker") returned 1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Internet Explorer") returned -1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Reference Assemblies") returned -1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Windows Defender") returned -1 [0065.045] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Windows Mail") returned -1 [0065.046] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Windows Media Player") returned -1 [0065.046] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Windows NT") returned -1 [0065.046] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Windows Sidebar") returned -1 [0065.046] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Startup") returned -1 [0065.046] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="Temp") returned -1 [0065.046] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="FlickLearningWizard.exe" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" [0065.046] PathFindExtensionW (pszPath="FlickLearningWizard.exe") returned=".exe" [0065.046] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.046] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Windows") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="MSOCache") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="PerfLogs") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="DVD Maker") returned 1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Internet Explorer") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Reference Assemblies") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Windows Defender") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Windows Mail") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Windows Media Player") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Windows NT") returned -1 [0065.046] lstrcmpW (lpString1="fr-FR", lpString2="Windows Sidebar") returned -1 [0065.047] lstrcmpW (lpString1="fr-FR", lpString2="Startup") returned -1 [0065.047] lstrcmpW (lpString1="fr-FR", lpString2="Temp") returned -1 [0065.047] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="fr-FR" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR" [0065.047] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*.*" [0065.047] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4cd8 [0065.047] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.047] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.047] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.047] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.047] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.047] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.047] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.047] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.048] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.048] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" [0065.048] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.048] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.048] FindNextFileW (in: hFindFile=0x4d4cd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.048] FindClose (in: hFindFile=0x4d4cd8 | out: hFindFile=0x4d4cd8) returned 1 [0065.048] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.048] lstrcmpW (lpString1="fsdefinitions", lpString2="..") returned 1 [0065.048] lstrcmpW (lpString1="fsdefinitions", lpString2=".") returned 1 [0065.048] lstrcmpW (lpString1="fsdefinitions", lpString2="Windows") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="MSOCache") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="PerfLogs") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="DVD Maker") returned 1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Internet Explorer") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Reference Assemblies") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Windows Defender") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Windows Mail") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Windows Media Player") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Windows NT") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Windows Sidebar") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Startup") returned -1 [0065.049] lstrcmpW (lpString1="fsdefinitions", lpString2="Temp") returned -1 [0065.049] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="fsdefinitions" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions" [0065.049] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*.*" [0065.049] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d48d8 [0065.070] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.070] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="..") returned 1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2=".") returned 1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="Windows") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="MSOCache") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="PerfLogs") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="DVD Maker") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="Internet Explorer") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="Reference Assemblies") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="Windows Defender") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="Windows Mail") returned -1 [0065.070] lstrcmpW (lpString1="auxpad", lpString2="Windows Media Player") returned -1 [0065.071] lstrcmpW (lpString1="auxpad", lpString2="Windows NT") returned -1 [0065.071] lstrcmpW (lpString1="auxpad", lpString2="Windows Sidebar") returned -1 [0065.071] lstrcmpW (lpString1="auxpad", lpString2="Startup") returned -1 [0065.071] lstrcmpW (lpString1="auxpad", lpString2="Temp") returned -1 [0065.071] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="auxpad" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad" [0065.071] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*.*" [0065.071] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d49d8 [0065.071] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.072] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.072] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="..") returned 1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2=".") returned 1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="Windows") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="MSOCache") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="PerfLogs") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="DVD Maker") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="Internet Explorer") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="Reference Assemblies") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="Windows Defender") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="Windows Mail") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="Windows Media Player") returned -1 [0065.072] lstrcmpW (lpString1="auxbase.xml", lpString2="Windows NT") returned -1 [0065.073] lstrcmpW (lpString1="auxbase.xml", lpString2="Windows Sidebar") returned -1 [0065.073] lstrcmpW (lpString1="auxbase.xml", lpString2="Startup") returned -1 [0065.073] lstrcmpW (lpString1="auxbase.xml", lpString2="Temp") returned -1 [0065.073] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad", pszFile="auxbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" [0065.073] PathFindExtensionW (pszPath="auxbase.xml") returned=".xml" [0065.073] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.074] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.074] FindClose (in: hFindFile=0x4d49d8 | out: hFindFile=0x4d49d8) returned 1 [0065.074] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="..") returned 1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2=".") returned 1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Windows") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="MSOCache") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="PerfLogs") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="DVD Maker") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Internet Explorer") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Reference Assemblies") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Windows Defender") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Windows Mail") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Windows Media Player") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Windows NT") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Windows Sidebar") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Startup") returned -1 [0065.074] lstrcmpW (lpString1="auxpad.xml", lpString2="Temp") returned -1 [0065.074] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="auxpad.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" [0065.075] PathFindExtensionW (pszPath="auxpad.xml") returned=".xml" [0065.075] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.075] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.075] lstrcmpW (lpString1="insert", lpString2="..") returned 1 [0065.075] lstrcmpW (lpString1="insert", lpString2=".") returned 1 [0065.075] lstrcmpW (lpString1="insert", lpString2="Windows") returned -1 [0065.075] lstrcmpW (lpString1="insert", lpString2="MSOCache") returned -1 [0065.075] lstrcmpW (lpString1="insert", lpString2="PerfLogs") returned -1 [0065.075] lstrcmpW (lpString1="insert", lpString2="DVD Maker") returned 1 [0065.075] lstrcmpW (lpString1="insert", lpString2="Internet Explorer") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Reference Assemblies") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Windows Defender") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Windows Mail") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Windows Media Player") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Windows NT") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Windows Sidebar") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Startup") returned -1 [0065.076] lstrcmpW (lpString1="insert", lpString2="Temp") returned -1 [0065.076] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="insert" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert" [0065.076] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\*.*" [0065.076] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4998 [0065.076] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.076] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.077] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="..") returned 1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2=".") returned 1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Windows") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="MSOCache") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="PerfLogs") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="DVD Maker") returned 1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Internet Explorer") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Reference Assemblies") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Windows Defender") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Windows Mail") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Windows Media Player") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Windows NT") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Windows Sidebar") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Startup") returned -1 [0065.077] lstrcmpW (lpString1="insertbase.xml", lpString2="Temp") returned -1 [0065.077] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert", pszFile="insertbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" [0065.078] PathFindExtensionW (pszPath="insertbase.xml") returned=".xml" [0065.078] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.078] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.078] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0065.078] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.078] lstrcmpW (lpString1="insert.xml", lpString2="..") returned 1 [0065.078] lstrcmpW (lpString1="insert.xml", lpString2=".") returned 1 [0065.078] lstrcmpW (lpString1="insert.xml", lpString2="Windows") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="MSOCache") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="PerfLogs") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="DVD Maker") returned 1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Internet Explorer") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Reference Assemblies") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Windows Defender") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Windows Mail") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Windows Media Player") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Windows NT") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Windows Sidebar") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Startup") returned -1 [0065.079] lstrcmpW (lpString1="insert.xml", lpString2="Temp") returned -1 [0065.079] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="insert.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" [0065.079] PathFindExtensionW (pszPath="insert.xml") returned=".xml" [0065.079] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.080] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="..") returned 1 [0065.080] lstrcmpW (lpString1="keypad", lpString2=".") returned 1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Windows") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="MSOCache") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="PerfLogs") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="DVD Maker") returned 1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Internet Explorer") returned 1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Reference Assemblies") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Windows Defender") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Windows Mail") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Windows Media Player") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Windows NT") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Windows Sidebar") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Startup") returned -1 [0065.080] lstrcmpW (lpString1="keypad", lpString2="Temp") returned -1 [0065.080] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="keypad" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad" [0065.081] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*.*" [0065.081] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4dd8 [0065.081] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.081] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.081] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.081] lstrcmpW (lpString1="ea.xml", lpString2="..") returned 1 [0065.081] lstrcmpW (lpString1="ea.xml", lpString2=".") returned 1 [0065.081] lstrcmpW (lpString1="ea.xml", lpString2="Windows") returned -1 [0065.081] lstrcmpW (lpString1="ea.xml", lpString2="MSOCache") returned -1 [0065.081] lstrcmpW (lpString1="ea.xml", lpString2="PerfLogs") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="DVD Maker") returned 1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Internet Explorer") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Reference Assemblies") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Windows Defender") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Windows Mail") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Windows Media Player") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Windows NT") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Windows Sidebar") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Startup") returned -1 [0065.082] lstrcmpW (lpString1="ea.xml", lpString2="Temp") returned -1 [0065.082] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad", pszFile="ea.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" [0065.082] PathFindExtensionW (pszPath="ea.xml") returned=".xml" [0065.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.082] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.082] lstrcmpW (lpString1="keypadbase.xml", lpString2="..") returned 1 [0065.082] lstrcmpW (lpString1="keypadbase.xml", lpString2=".") returned 1 [0065.082] lstrcmpW (lpString1="keypadbase.xml", lpString2="Windows") returned -1 [0065.082] lstrcmpW (lpString1="keypadbase.xml", lpString2="MSOCache") returned -1 [0065.082] lstrcmpW (lpString1="keypadbase.xml", lpString2="PerfLogs") returned -1 [0065.082] lstrcmpW (lpString1="keypadbase.xml", lpString2="DVD Maker") returned 1 [0065.082] lstrcmpW (lpString1="keypadbase.xml", lpString2="Internet Explorer") returned 1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Reference Assemblies") returned -1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Windows Defender") returned -1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Windows Mail") returned -1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Windows Media Player") returned -1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Windows NT") returned -1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Windows Sidebar") returned -1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Startup") returned -1 [0065.083] lstrcmpW (lpString1="keypadbase.xml", lpString2="Temp") returned -1 [0065.083] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad", pszFile="keypadbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" [0065.083] PathFindExtensionW (pszPath="keypadbase.xml") returned=".xml" [0065.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.083] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="..") returned 1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2=".") returned 1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="Windows") returned -1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="MSOCache") returned -1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="PerfLogs") returned -1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="DVD Maker") returned 1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="Internet Explorer") returned 1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="Reference Assemblies") returned -1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="Windows Defender") returned -1 [0065.083] lstrcmpW (lpString1="kor-kor.xml", lpString2="Windows Mail") returned -1 [0065.084] lstrcmpW (lpString1="kor-kor.xml", lpString2="Windows Media Player") returned -1 [0065.084] lstrcmpW (lpString1="kor-kor.xml", lpString2="Windows NT") returned -1 [0065.084] lstrcmpW (lpString1="kor-kor.xml", lpString2="Windows Sidebar") returned -1 [0065.084] lstrcmpW (lpString1="kor-kor.xml", lpString2="Startup") returned -1 [0065.084] lstrcmpW (lpString1="kor-kor.xml", lpString2="Temp") returned -1 [0065.084] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad", pszFile="kor-kor.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" [0065.084] PathFindExtensionW (pszPath="kor-kor.xml") returned=".xml" [0065.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.084] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.084] FindClose (in: hFindFile=0x4d4dd8 | out: hFindFile=0x4d4dd8) returned 1 [0065.084] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="..") returned 1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2=".") returned 1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="Windows") returned -1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="MSOCache") returned -1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="PerfLogs") returned -1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="DVD Maker") returned 1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="Internet Explorer") returned 1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="Reference Assemblies") returned -1 [0065.084] lstrcmpW (lpString1="keypad.xml", lpString2="Windows Defender") returned -1 [0065.085] lstrcmpW (lpString1="keypad.xml", lpString2="Windows Mail") returned -1 [0065.085] lstrcmpW (lpString1="keypad.xml", lpString2="Windows Media Player") returned -1 [0065.085] lstrcmpW (lpString1="keypad.xml", lpString2="Windows NT") returned -1 [0065.085] lstrcmpW (lpString1="keypad.xml", lpString2="Windows Sidebar") returned -1 [0065.085] lstrcmpW (lpString1="keypad.xml", lpString2="Startup") returned -1 [0065.085] lstrcmpW (lpString1="keypad.xml", lpString2="Temp") returned -1 [0065.085] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="keypad.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" [0065.085] PathFindExtensionW (pszPath="keypad.xml") returned=".xml" [0065.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.085] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.085] lstrcmpW (lpString1="main", lpString2="..") returned 1 [0065.085] lstrcmpW (lpString1="main", lpString2=".") returned 1 [0065.085] lstrcmpW (lpString1="main", lpString2="Windows") returned -1 [0065.085] lstrcmpW (lpString1="main", lpString2="MSOCache") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="PerfLogs") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="DVD Maker") returned 1 [0065.086] lstrcmpW (lpString1="main", lpString2="Internet Explorer") returned 1 [0065.086] lstrcmpW (lpString1="main", lpString2="Reference Assemblies") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="Windows Defender") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="Windows Mail") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="Windows Media Player") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="Windows NT") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="Windows Sidebar") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="Startup") returned -1 [0065.086] lstrcmpW (lpString1="main", lpString2="Temp") returned -1 [0065.086] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="main" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main" [0065.086] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\*.*" [0065.086] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4858 [0065.087] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.087] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.087] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.087] lstrcmpW (lpString1="base.xml", lpString2="..") returned 1 [0065.087] lstrcmpW (lpString1="base.xml", lpString2=".") returned 1 [0065.087] lstrcmpW (lpString1="base.xml", lpString2="Windows") returned -1 [0065.087] lstrcmpW (lpString1="base.xml", lpString2="MSOCache") returned -1 [0065.087] lstrcmpW (lpString1="base.xml", lpString2="PerfLogs") returned -1 [0065.087] lstrcmpW (lpString1="base.xml", lpString2="DVD Maker") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Internet Explorer") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Reference Assemblies") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Windows Defender") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Windows Mail") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Windows Media Player") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Windows NT") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Windows Sidebar") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Startup") returned -1 [0065.088] lstrcmpW (lpString1="base.xml", lpString2="Temp") returned -1 [0065.088] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="base.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" [0065.088] PathFindExtensionW (pszPath="base.xml") returned=".xml" [0065.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.088] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="..") returned 1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2=".") returned 1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Windows") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="MSOCache") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="PerfLogs") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="DVD Maker") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Internet Explorer") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Reference Assemblies") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Windows Defender") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Windows Mail") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Windows Media Player") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Windows NT") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Windows Sidebar") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Startup") returned -1 [0065.089] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="Temp") returned -1 [0065.089] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="baseAltGr_rtl.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" [0065.089] PathFindExtensionW (pszPath="baseAltGr_rtl.xml") returned=".xml" [0065.089] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.090] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="..") returned 1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2=".") returned 1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Windows") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="MSOCache") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="PerfLogs") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="DVD Maker") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Internet Explorer") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Reference Assemblies") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Windows Defender") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Windows Mail") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Windows Media Player") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Windows NT") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Windows Sidebar") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Startup") returned -1 [0065.090] lstrcmpW (lpString1="base_altgr.xml", lpString2="Temp") returned -1 [0065.091] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="base_altgr.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" [0065.091] PathFindExtensionW (pszPath="base_altgr.xml") returned=".xml" [0065.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.091] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="..") returned 1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2=".") returned 1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="Windows") returned -1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="MSOCache") returned -1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="PerfLogs") returned -1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="DVD Maker") returned -1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="Internet Explorer") returned -1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="Reference Assemblies") returned -1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="Windows Defender") returned -1 [0065.091] lstrcmpW (lpString1="base_ca.xml", lpString2="Windows Mail") returned -1 [0065.092] lstrcmpW (lpString1="base_ca.xml", lpString2="Windows Media Player") returned -1 [0065.092] lstrcmpW (lpString1="base_ca.xml", lpString2="Windows NT") returned -1 [0065.092] lstrcmpW (lpString1="base_ca.xml", lpString2="Windows Sidebar") returned -1 [0065.092] lstrcmpW (lpString1="base_ca.xml", lpString2="Startup") returned -1 [0065.092] lstrcmpW (lpString1="base_ca.xml", lpString2="Temp") returned -1 [0065.092] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="base_ca.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" [0065.092] PathFindExtensionW (pszPath="base_ca.xml") returned=".xml" [0065.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.093] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="..") returned 1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2=".") returned 1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Windows") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="MSOCache") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="PerfLogs") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="DVD Maker") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Internet Explorer") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Reference Assemblies") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Windows Defender") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Windows Mail") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Windows Media Player") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Windows NT") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Windows Sidebar") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Startup") returned -1 [0065.093] lstrcmpW (lpString1="base_heb.xml", lpString2="Temp") returned -1 [0065.094] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="base_heb.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" [0065.094] PathFindExtensionW (pszPath="base_heb.xml") returned=".xml" [0065.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.094] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="..") returned 1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2=".") returned 1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="Windows") returned -1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="MSOCache") returned -1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="PerfLogs") returned -1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="DVD Maker") returned -1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="Internet Explorer") returned -1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="Reference Assemblies") returned -1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="Windows Defender") returned -1 [0065.094] lstrcmpW (lpString1="base_jpn.xml", lpString2="Windows Mail") returned -1 [0065.095] lstrcmpW (lpString1="base_jpn.xml", lpString2="Windows Media Player") returned -1 [0065.095] lstrcmpW (lpString1="base_jpn.xml", lpString2="Windows NT") returned -1 [0065.095] lstrcmpW (lpString1="base_jpn.xml", lpString2="Windows Sidebar") returned -1 [0065.095] lstrcmpW (lpString1="base_jpn.xml", lpString2="Startup") returned -1 [0065.095] lstrcmpW (lpString1="base_jpn.xml", lpString2="Temp") returned -1 [0065.095] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="base_jpn.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" [0065.095] PathFindExtensionW (pszPath="base_jpn.xml") returned=".xml" [0065.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.095] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.095] lstrcmpW (lpString1="base_kor.xml", lpString2="..") returned 1 [0065.095] lstrcmpW (lpString1="base_kor.xml", lpString2=".") returned 1 [0065.095] lstrcmpW (lpString1="base_kor.xml", lpString2="Windows") returned -1 [0065.095] lstrcmpW (lpString1="base_kor.xml", lpString2="MSOCache") returned -1 [0065.095] lstrcmpW (lpString1="base_kor.xml", lpString2="PerfLogs") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="DVD Maker") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Internet Explorer") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Reference Assemblies") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Windows Defender") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Windows Mail") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Windows Media Player") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Windows NT") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Windows Sidebar") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Startup") returned -1 [0065.096] lstrcmpW (lpString1="base_kor.xml", lpString2="Temp") returned -1 [0065.096] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="base_kor.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" [0065.096] PathFindExtensionW (pszPath="base_kor.xml") returned=".xml" [0065.096] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.097] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="..") returned 1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2=".") returned 1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="Windows") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="MSOCache") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="PerfLogs") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="DVD Maker") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="Internet Explorer") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="Reference Assemblies") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="Windows Defender") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="Windows Mail") returned -1 [0065.097] lstrcmpW (lpString1="base_rtl.xml", lpString2="Windows Media Player") returned -1 [0065.098] lstrcmpW (lpString1="base_rtl.xml", lpString2="Windows NT") returned -1 [0065.098] lstrcmpW (lpString1="base_rtl.xml", lpString2="Windows Sidebar") returned -1 [0065.098] lstrcmpW (lpString1="base_rtl.xml", lpString2="Startup") returned -1 [0065.098] lstrcmpW (lpString1="base_rtl.xml", lpString2="Temp") returned -1 [0065.098] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="base_rtl.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" [0065.098] PathFindExtensionW (pszPath="base_rtl.xml") returned=".xml" [0065.098] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.099] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="..") returned 1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2=".") returned 1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Windows") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="MSOCache") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="PerfLogs") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="DVD Maker") returned 1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Internet Explorer") returned 1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Reference Assemblies") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Windows Defender") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Windows Mail") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Windows Media Player") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Windows NT") returned -1 [0065.099] lstrcmpW (lpString1="ja-jp.xml", lpString2="Windows Sidebar") returned -1 [0065.100] lstrcmpW (lpString1="ja-jp.xml", lpString2="Startup") returned -1 [0065.100] lstrcmpW (lpString1="ja-jp.xml", lpString2="Temp") returned -1 [0065.100] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="ja-jp.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" [0065.100] PathFindExtensionW (pszPath="ja-jp.xml") returned=".xml" [0065.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.100] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2="..") returned 1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2=".") returned 1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2="Windows") returned -1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2="MSOCache") returned -1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2="PerfLogs") returned -1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2="DVD Maker") returned 1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2="Internet Explorer") returned 1 [0065.100] lstrcmpW (lpString1="ko-kr.xml", lpString2="Reference Assemblies") returned -1 [0065.101] lstrcmpW (lpString1="ko-kr.xml", lpString2="Windows Defender") returned -1 [0065.101] lstrcmpW (lpString1="ko-kr.xml", lpString2="Windows Mail") returned -1 [0065.101] lstrcmpW (lpString1="ko-kr.xml", lpString2="Windows Media Player") returned -1 [0065.101] lstrcmpW (lpString1="ko-kr.xml", lpString2="Windows NT") returned -1 [0065.101] lstrcmpW (lpString1="ko-kr.xml", lpString2="Windows Sidebar") returned -1 [0065.101] lstrcmpW (lpString1="ko-kr.xml", lpString2="Startup") returned -1 [0065.101] lstrcmpW (lpString1="ko-kr.xml", lpString2="Temp") returned -1 [0065.101] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="ko-kr.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" [0065.101] PathFindExtensionW (pszPath="ko-kr.xml") returned=".xml" [0065.101] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.102] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="..") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2=".") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Windows") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="MSOCache") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="PerfLogs") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="DVD Maker") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Internet Explorer") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Reference Assemblies") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Windows Defender") returned 1 [0065.102] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Windows Mail") returned 1 [0065.103] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Windows Media Player") returned 1 [0065.103] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Windows NT") returned 1 [0065.103] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Windows Sidebar") returned 1 [0065.103] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Startup") returned 1 [0065.103] lstrcmpW (lpString1="zh-changjei.xml", lpString2="Temp") returned 1 [0065.103] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="zh-changjei.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" [0065.103] PathFindExtensionW (pszPath="zh-changjei.xml") returned=".xml" [0065.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.103] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="..") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2=".") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Windows") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="MSOCache") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="PerfLogs") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="DVD Maker") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Internet Explorer") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Reference Assemblies") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Windows Defender") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Windows Mail") returned 1 [0065.103] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Windows Media Player") returned 1 [0065.104] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Windows NT") returned 1 [0065.104] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Windows Sidebar") returned 1 [0065.104] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Startup") returned 1 [0065.104] lstrcmpW (lpString1="zh-dayi.xml", lpString2="Temp") returned 1 [0065.104] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="zh-dayi.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" [0065.104] PathFindExtensionW (pszPath="zh-dayi.xml") returned=".xml" [0065.104] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.104] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="..") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2=".") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Windows") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="MSOCache") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="PerfLogs") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="DVD Maker") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Internet Explorer") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Reference Assemblies") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Windows Defender") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Windows Mail") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Windows Media Player") returned 1 [0065.104] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Windows NT") returned 1 [0065.105] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Windows Sidebar") returned 1 [0065.105] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Startup") returned 1 [0065.105] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="Temp") returned 1 [0065.105] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main", pszFile="zh-phonetic.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" [0065.105] PathFindExtensionW (pszPath="zh-phonetic.xml") returned=".xml" [0065.105] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.105] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.105] FindClose (in: hFindFile=0x4d4858 | out: hFindFile=0x4d4858) returned 1 [0065.106] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="..") returned 1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2=".") returned 1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Windows") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="MSOCache") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="PerfLogs") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="DVD Maker") returned 1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Internet Explorer") returned 1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Reference Assemblies") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Windows Defender") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Windows Mail") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Windows Media Player") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Windows NT") returned -1 [0065.106] lstrcmpW (lpString1="main.xml", lpString2="Windows Sidebar") returned -1 [0065.107] lstrcmpW (lpString1="main.xml", lpString2="Startup") returned -1 [0065.107] lstrcmpW (lpString1="main.xml", lpString2="Temp") returned -1 [0065.107] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="main.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" [0065.107] PathFindExtensionW (pszPath="main.xml") returned=".xml" [0065.107] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.107] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="..") returned 1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2=".") returned 1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="Windows") returned -1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="MSOCache") returned 1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="PerfLogs") returned -1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="DVD Maker") returned 1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="Internet Explorer") returned 1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="Reference Assemblies") returned -1 [0065.107] lstrcmpW (lpString1="oskclearui", lpString2="Windows Defender") returned -1 [0065.109] lstrcmpW (lpString1="oskclearui", lpString2="Windows Mail") returned -1 [0065.109] lstrcmpW (lpString1="oskclearui", lpString2="Windows Media Player") returned -1 [0065.109] lstrcmpW (lpString1="oskclearui", lpString2="Windows NT") returned -1 [0065.109] lstrcmpW (lpString1="oskclearui", lpString2="Windows Sidebar") returned -1 [0065.109] lstrcmpW (lpString1="oskclearui", lpString2="Startup") returned -1 [0065.109] lstrcmpW (lpString1="oskclearui", lpString2="Temp") returned -1 [0065.109] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="oskclearui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui" [0065.109] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\*.*" [0065.109] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4798 [0065.110] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.110] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.110] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="..") returned 1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2=".") returned 1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Windows") returned -1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="MSOCache") returned 1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="PerfLogs") returned -1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="DVD Maker") returned 1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Internet Explorer") returned 1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Reference Assemblies") returned -1 [0065.110] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Windows Defender") returned -1 [0065.111] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Windows Mail") returned -1 [0065.111] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Windows Media Player") returned -1 [0065.111] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Windows NT") returned -1 [0065.111] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Windows Sidebar") returned -1 [0065.111] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Startup") returned -1 [0065.111] lstrcmpW (lpString1="oskclearuibase.xml", lpString2="Temp") returned -1 [0065.111] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui", pszFile="oskclearuibase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" [0065.111] PathFindExtensionW (pszPath="oskclearuibase.xml") returned=".xml" [0065.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui\\oskclearuibase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.111] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.111] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.111] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="..") returned 1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2=".") returned 1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="Windows") returned -1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="MSOCache") returned 1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="PerfLogs") returned -1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="DVD Maker") returned 1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="Internet Explorer") returned 1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="Reference Assemblies") returned -1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="Windows Defender") returned -1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="Windows Mail") returned -1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="Windows Media Player") returned -1 [0065.112] lstrcmpW (lpString1="oskclearui.xml", lpString2="Windows NT") returned -1 [0065.113] lstrcmpW (lpString1="oskclearui.xml", lpString2="Windows Sidebar") returned -1 [0065.113] lstrcmpW (lpString1="oskclearui.xml", lpString2="Startup") returned -1 [0065.113] lstrcmpW (lpString1="oskclearui.xml", lpString2="Temp") returned -1 [0065.113] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="oskclearui.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" [0065.113] PathFindExtensionW (pszPath="oskclearui.xml") returned=".xml" [0065.113] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskclearui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.113] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.113] lstrcmpW (lpString1="oskmenu", lpString2="..") returned 1 [0065.113] lstrcmpW (lpString1="oskmenu", lpString2=".") returned 1 [0065.113] lstrcmpW (lpString1="oskmenu", lpString2="Windows") returned -1 [0065.113] lstrcmpW (lpString1="oskmenu", lpString2="MSOCache") returned 1 [0065.113] lstrcmpW (lpString1="oskmenu", lpString2="PerfLogs") returned -1 [0065.113] lstrcmpW (lpString1="oskmenu", lpString2="DVD Maker") returned 1 [0065.113] lstrcmpW (lpString1="oskmenu", lpString2="Internet Explorer") returned 1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Reference Assemblies") returned -1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Windows Defender") returned -1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Windows Mail") returned -1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Windows Media Player") returned -1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Windows NT") returned -1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Windows Sidebar") returned -1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Startup") returned -1 [0065.114] lstrcmpW (lpString1="oskmenu", lpString2="Temp") returned -1 [0065.114] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="oskmenu" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu" [0065.114] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*.*" [0065.114] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4ad8 [0065.114] FindNextFileW (in: hFindFile=0x4d4ad8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.114] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.115] FindNextFileW (in: hFindFile=0x4d4ad8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="..") returned 1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2=".") returned 1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Windows") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="MSOCache") returned 1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="PerfLogs") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="DVD Maker") returned 1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Internet Explorer") returned 1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Reference Assemblies") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Windows Defender") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Windows Mail") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Windows Media Player") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Windows NT") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Windows Sidebar") returned -1 [0065.115] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Startup") returned -1 [0065.116] lstrcmpW (lpString1="oskmenubase.xml", lpString2="Temp") returned -1 [0065.116] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu", pszFile="oskmenubase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" [0065.116] PathFindExtensionW (pszPath="oskmenubase.xml") returned=".xml" [0065.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.116] FindNextFileW (in: hFindFile=0x4d4ad8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.116] FindClose (in: hFindFile=0x4d4ad8 | out: hFindFile=0x4d4ad8) returned 1 [0065.116] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.116] lstrcmpW (lpString1="oskmenu.xml", lpString2="..") returned 1 [0065.116] lstrcmpW (lpString1="oskmenu.xml", lpString2=".") returned 1 [0065.116] lstrcmpW (lpString1="oskmenu.xml", lpString2="Windows") returned -1 [0065.116] lstrcmpW (lpString1="oskmenu.xml", lpString2="MSOCache") returned 1 [0065.116] lstrcmpW (lpString1="oskmenu.xml", lpString2="PerfLogs") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="DVD Maker") returned 1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Internet Explorer") returned 1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Reference Assemblies") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Windows Defender") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Windows Mail") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Windows Media Player") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Windows NT") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Windows Sidebar") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Startup") returned -1 [0065.117] lstrcmpW (lpString1="oskmenu.xml", lpString2="Temp") returned -1 [0065.117] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="oskmenu.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" [0065.117] PathFindExtensionW (pszPath="oskmenu.xml") returned=".xml" [0065.117] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.117] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="..") returned 1 [0065.118] lstrcmpW (lpString1="osknav", lpString2=".") returned 1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Windows") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="MSOCache") returned 1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="PerfLogs") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="DVD Maker") returned 1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Internet Explorer") returned 1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Reference Assemblies") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Windows Defender") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Windows Mail") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Windows Media Player") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Windows NT") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Windows Sidebar") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Startup") returned -1 [0065.118] lstrcmpW (lpString1="osknav", lpString2="Temp") returned -1 [0065.118] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="osknav" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav" [0065.118] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\*.*" [0065.119] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4858 [0065.119] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.120] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.120] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="..") returned 1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2=".") returned 1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Windows") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="MSOCache") returned 1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="PerfLogs") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="DVD Maker") returned 1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Internet Explorer") returned 1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Reference Assemblies") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Windows Defender") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Windows Mail") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Windows Media Player") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Windows NT") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Windows Sidebar") returned -1 [0065.120] lstrcmpW (lpString1="osknavbase.xml", lpString2="Startup") returned -1 [0065.121] lstrcmpW (lpString1="osknavbase.xml", lpString2="Temp") returned -1 [0065.121] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav", pszFile="osknavbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" [0065.121] PathFindExtensionW (pszPath="osknavbase.xml") returned=".xml" [0065.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav\\osknavbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.121] FindNextFileW (in: hFindFile=0x4d4858, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.121] FindClose (in: hFindFile=0x4d4858 | out: hFindFile=0x4d4858) returned 1 [0065.121] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.121] lstrcmpW (lpString1="osknav.xml", lpString2="..") returned 1 [0065.121] lstrcmpW (lpString1="osknav.xml", lpString2=".") returned 1 [0065.121] lstrcmpW (lpString1="osknav.xml", lpString2="Windows") returned -1 [0065.121] lstrcmpW (lpString1="osknav.xml", lpString2="MSOCache") returned 1 [0065.121] lstrcmpW (lpString1="osknav.xml", lpString2="PerfLogs") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="DVD Maker") returned 1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Internet Explorer") returned 1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Reference Assemblies") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Windows Defender") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Windows Mail") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Windows Media Player") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Windows NT") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Windows Sidebar") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Startup") returned -1 [0065.122] lstrcmpW (lpString1="osknav.xml", lpString2="Temp") returned -1 [0065.122] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="osknav.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" [0065.122] PathFindExtensionW (pszPath="osknav.xml") returned=".xml" [0065.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknav.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.123] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="..") returned 1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2=".") returned 1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Windows") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="MSOCache") returned 1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="PerfLogs") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="DVD Maker") returned 1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Internet Explorer") returned 1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Reference Assemblies") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Windows Defender") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Windows Mail") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Windows Media Player") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Windows NT") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Windows Sidebar") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Startup") returned -1 [0065.123] lstrcmpW (lpString1="osknumpad", lpString2="Temp") returned -1 [0065.124] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="osknumpad" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad" [0065.124] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*.*" [0065.124] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4c98 [0065.124] FindNextFileW (in: hFindFile=0x4d4c98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.124] FindNextFileW (in: hFindFile=0x4d4c98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.124] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="..") returned 1 [0065.124] lstrcmpW (lpString1="osknumpadbase.xml", lpString2=".") returned 1 [0065.124] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Windows") returned -1 [0065.124] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="MSOCache") returned 1 [0065.124] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="PerfLogs") returned -1 [0065.124] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="DVD Maker") returned 1 [0065.124] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Internet Explorer") returned 1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Reference Assemblies") returned -1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Windows Defender") returned -1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Windows Mail") returned -1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Windows Media Player") returned -1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Windows NT") returned -1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Windows Sidebar") returned -1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Startup") returned -1 [0065.125] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="Temp") returned -1 [0065.125] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad", pszFile="osknumpadbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" [0065.125] PathFindExtensionW (pszPath="osknumpadbase.xml") returned=".xml" [0065.125] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.125] FindNextFileW (in: hFindFile=0x4d4c98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.125] FindClose (in: hFindFile=0x4d4c98 | out: hFindFile=0x4d4c98) returned 1 [0065.125] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.125] lstrcmpW (lpString1="osknumpad.xml", lpString2="..") returned 1 [0065.125] lstrcmpW (lpString1="osknumpad.xml", lpString2=".") returned 1 [0065.125] lstrcmpW (lpString1="osknumpad.xml", lpString2="Windows") returned -1 [0065.125] lstrcmpW (lpString1="osknumpad.xml", lpString2="MSOCache") returned 1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="PerfLogs") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="DVD Maker") returned 1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Internet Explorer") returned 1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Reference Assemblies") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Windows Defender") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Windows Mail") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Windows Media Player") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Windows NT") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Windows Sidebar") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Startup") returned -1 [0065.126] lstrcmpW (lpString1="osknumpad.xml", lpString2="Temp") returned -1 [0065.126] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="osknumpad.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" [0065.126] PathFindExtensionW (pszPath="osknumpad.xml") returned=".xml" [0065.126] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.126] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.126] lstrcmpW (lpString1="oskpred", lpString2="..") returned 1 [0065.126] lstrcmpW (lpString1="oskpred", lpString2=".") returned 1 [0065.126] lstrcmpW (lpString1="oskpred", lpString2="Windows") returned -1 [0065.126] lstrcmpW (lpString1="oskpred", lpString2="MSOCache") returned 1 [0065.126] lstrcmpW (lpString1="oskpred", lpString2="PerfLogs") returned -1 [0065.126] lstrcmpW (lpString1="oskpred", lpString2="DVD Maker") returned 1 [0065.126] lstrcmpW (lpString1="oskpred", lpString2="Internet Explorer") returned 1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Reference Assemblies") returned -1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Windows Defender") returned -1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Windows Mail") returned -1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Windows Media Player") returned -1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Windows NT") returned -1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Windows Sidebar") returned -1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Startup") returned -1 [0065.127] lstrcmpW (lpString1="oskpred", lpString2="Temp") returned -1 [0065.127] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="oskpred" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred" [0065.127] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*.*" [0065.127] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4bd8 [0065.127] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.127] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.127] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.127] lstrcmpW (lpString1="oskpredbase.xml", lpString2="..") returned 1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2=".") returned 1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Windows") returned -1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="MSOCache") returned 1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="PerfLogs") returned -1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="DVD Maker") returned 1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Internet Explorer") returned 1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Reference Assemblies") returned -1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Windows Defender") returned -1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Windows Mail") returned -1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Windows Media Player") returned -1 [0065.128] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Windows NT") returned -1 [0065.129] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Windows Sidebar") returned -1 [0065.129] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Startup") returned -1 [0065.129] lstrcmpW (lpString1="oskpredbase.xml", lpString2="Temp") returned -1 [0065.129] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred", pszFile="oskpredbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" [0065.129] PathFindExtensionW (pszPath="oskpredbase.xml") returned=".xml" [0065.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.130] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.130] FindClose (in: hFindFile=0x4d4bd8 | out: hFindFile=0x4d4bd8) returned 1 [0065.130] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="..") returned 1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2=".") returned 1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="Windows") returned -1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="MSOCache") returned 1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="PerfLogs") returned -1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="DVD Maker") returned 1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="Internet Explorer") returned 1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="Reference Assemblies") returned -1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="Windows Defender") returned -1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="Windows Mail") returned -1 [0065.130] lstrcmpW (lpString1="oskpred.xml", lpString2="Windows Media Player") returned -1 [0065.131] lstrcmpW (lpString1="oskpred.xml", lpString2="Windows NT") returned -1 [0065.131] lstrcmpW (lpString1="oskpred.xml", lpString2="Windows Sidebar") returned -1 [0065.131] lstrcmpW (lpString1="oskpred.xml", lpString2="Startup") returned -1 [0065.131] lstrcmpW (lpString1="oskpred.xml", lpString2="Temp") returned -1 [0065.131] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="oskpred.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" [0065.131] PathFindExtensionW (pszPath="oskpred.xml") returned=".xml" [0065.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.131] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.131] lstrcmpW (lpString1="symbols", lpString2="..") returned 1 [0065.131] lstrcmpW (lpString1="symbols", lpString2=".") returned 1 [0065.131] lstrcmpW (lpString1="symbols", lpString2="Windows") returned -1 [0065.131] lstrcmpW (lpString1="symbols", lpString2="MSOCache") returned 1 [0065.131] lstrcmpW (lpString1="symbols", lpString2="PerfLogs") returned 1 [0065.131] lstrcmpW (lpString1="symbols", lpString2="DVD Maker") returned 1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Internet Explorer") returned 1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Reference Assemblies") returned 1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Windows Defender") returned -1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Windows Mail") returned -1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Windows Media Player") returned -1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Windows NT") returned -1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Windows Sidebar") returned -1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Startup") returned 1 [0065.132] lstrcmpW (lpString1="symbols", lpString2="Temp") returned -1 [0065.132] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="symbols" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols" [0065.132] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*.*" [0065.132] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d49d8 [0065.132] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.133] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.133] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="..") returned 1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2=".") returned 1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Windows") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="MSOCache") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="PerfLogs") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="DVD Maker") returned 1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Internet Explorer") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Reference Assemblies") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Windows Defender") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Windows Mail") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Windows Media Player") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Windows NT") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Windows Sidebar") returned -1 [0065.133] lstrcmpW (lpString1="ea-sym.xml", lpString2="Startup") returned -1 [0065.134] lstrcmpW (lpString1="ea-sym.xml", lpString2="Temp") returned -1 [0065.134] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols", pszFile="ea-sym.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" [0065.134] PathFindExtensionW (pszPath="ea-sym.xml") returned=".xml" [0065.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.134] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="..") returned 1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2=".") returned 1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Windows") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="MSOCache") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="PerfLogs") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="DVD Maker") returned 1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Internet Explorer") returned 1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Reference Assemblies") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Windows Defender") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Windows Mail") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Windows Media Player") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Windows NT") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Windows Sidebar") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Startup") returned -1 [0065.134] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="Temp") returned -1 [0065.135] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols", pszFile="ja-jp-sym.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" [0065.135] PathFindExtensionW (pszPath="ja-jp-sym.xml") returned=".xml" [0065.135] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.135] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="..") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2=".") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Windows") returned -1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="MSOCache") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="PerfLogs") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="DVD Maker") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Internet Explorer") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Reference Assemblies") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Windows Defender") returned -1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Windows Mail") returned -1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Windows Media Player") returned -1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Windows NT") returned -1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Windows Sidebar") returned -1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Startup") returned 1 [0065.135] lstrcmpW (lpString1="symbase.xml", lpString2="Temp") returned -1 [0065.135] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols", pszFile="symbase.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" [0065.135] PathFindExtensionW (pszPath="symbase.xml") returned=".xml" [0065.136] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.136] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0 [0065.136] FindClose (in: hFindFile=0x4d49d8 | out: hFindFile=0x4d49d8) returned 1 [0065.136] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="..") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2=".") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Windows") returned -1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="MSOCache") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="PerfLogs") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="DVD Maker") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Internet Explorer") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Reference Assemblies") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Windows Defender") returned -1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Windows Mail") returned -1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Windows Media Player") returned -1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Windows NT") returned -1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Windows Sidebar") returned -1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Startup") returned 1 [0065.136] lstrcmpW (lpString1="symbols.xml", lpString2="Temp") returned -1 [0065.136] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions", pszFile="symbols.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" [0065.137] PathFindExtensionW (pszPath="symbols.xml") returned=".xml" [0065.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.137] FindNextFileW (in: hFindFile=0x4d48d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.137] FindClose (in: hFindFile=0x4d48d8 | out: hFindFile=0x4d48d8) returned 1 [0065.137] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="..") returned 1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2=".") returned 1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Windows") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="MSOCache") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="PerfLogs") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="DVD Maker") returned 1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Internet Explorer") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Reference Assemblies") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Windows Defender") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Windows Mail") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Windows Media Player") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Windows NT") returned -1 [0065.137] lstrcmpW (lpString1="he-IL", lpString2="Windows Sidebar") returned -1 [0065.138] lstrcmpW (lpString1="he-IL", lpString2="Startup") returned -1 [0065.138] lstrcmpW (lpString1="he-IL", lpString2="Temp") returned -1 [0065.138] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="he-IL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL" [0065.138] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*.*" [0065.138] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4dd8 [0065.138] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.138] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.138] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.138] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.138] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.138] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.139] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.139] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" [0065.139] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.140] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.140] FindClose (in: hFindFile=0x4d4dd8 | out: hFindFile=0x4d4dd8) returned 1 [0065.140] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.140] lstrcmpW (lpString1="hr-HR", lpString2="..") returned 1 [0065.140] lstrcmpW (lpString1="hr-HR", lpString2=".") returned 1 [0065.140] lstrcmpW (lpString1="hr-HR", lpString2="Windows") returned -1 [0065.140] lstrcmpW (lpString1="hr-HR", lpString2="MSOCache") returned -1 [0065.140] lstrcmpW (lpString1="hr-HR", lpString2="PerfLogs") returned -1 [0065.140] lstrcmpW (lpString1="hr-HR", lpString2="DVD Maker") returned 1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Internet Explorer") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Reference Assemblies") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Windows Defender") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Windows Mail") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Windows Media Player") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Windows NT") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Windows Sidebar") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Startup") returned -1 [0065.141] lstrcmpW (lpString1="hr-HR", lpString2="Temp") returned -1 [0065.141] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hr-HR" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR" [0065.141] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*.*" [0065.141] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4998 [0065.141] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.142] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.142] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.143] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.143] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" [0065.143] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.150] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.151] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0065.151] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="Windows") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="MSOCache") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="PerfLogs") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="DVD Maker") returned 1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="Internet Explorer") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="Reference Assemblies") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="Windows Defender") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="Windows Mail") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="Windows Media Player") returned -1 [0065.151] lstrcmpW (lpString1="hu-HU", lpString2="Windows NT") returned -1 [0065.152] lstrcmpW (lpString1="hu-HU", lpString2="Windows Sidebar") returned -1 [0065.152] lstrcmpW (lpString1="hu-HU", lpString2="Startup") returned -1 [0065.152] lstrcmpW (lpString1="hu-HU", lpString2="Temp") returned -1 [0065.152] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hu-HU" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU" [0065.152] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*.*" [0065.152] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4d58 [0065.152] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.152] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.152] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.152] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.152] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.153] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.153] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" [0065.153] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.154] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.154] FindClose (in: hFindFile=0x4d4d58 | out: hFindFile=0x4d4d58) returned 1 [0065.154] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="..") returned 1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2=".") returned 1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Windows") returned -1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="MSOCache") returned -1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="PerfLogs") returned -1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="DVD Maker") returned 1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Internet Explorer") returned -1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Reference Assemblies") returned -1 [0065.154] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Windows Defender") returned -1 [0065.155] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Windows Mail") returned -1 [0065.155] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Windows Media Player") returned -1 [0065.155] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Windows NT") returned -1 [0065.155] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Windows Sidebar") returned -1 [0065.155] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Startup") returned -1 [0065.155] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="Temp") returned -1 [0065.155] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwrcommonlm.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" [0065.155] PathFindExtensionW (pszPath="hwrcommonlm.dat") returned=".dat" [0065.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.155] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.155] lstrcmpW (lpString1="HWRCustomization", lpString2="..") returned 1 [0065.157] lstrcmpW (lpString1="HWRCustomization", lpString2=".") returned 1 [0065.157] lstrcmpW (lpString1="HWRCustomization", lpString2="Windows") returned -1 [0065.157] lstrcmpW (lpString1="HWRCustomization", lpString2="MSOCache") returned -1 [0065.157] lstrcmpW (lpString1="HWRCustomization", lpString2="PerfLogs") returned -1 [0065.157] lstrcmpW (lpString1="HWRCustomization", lpString2="DVD Maker") returned 1 [0065.157] lstrcmpW (lpString1="HWRCustomization", lpString2="Internet Explorer") returned -1 [0065.157] lstrcmpW (lpString1="HWRCustomization", lpString2="Reference Assemblies") returned -1 [0065.158] lstrcmpW (lpString1="HWRCustomization", lpString2="Windows Defender") returned -1 [0065.158] lstrcmpW (lpString1="HWRCustomization", lpString2="Windows Mail") returned -1 [0065.158] lstrcmpW (lpString1="HWRCustomization", lpString2="Windows Media Player") returned -1 [0065.158] lstrcmpW (lpString1="HWRCustomization", lpString2="Windows NT") returned -1 [0065.158] lstrcmpW (lpString1="HWRCustomization", lpString2="Windows Sidebar") returned -1 [0065.158] lstrcmpW (lpString1="HWRCustomization", lpString2="Startup") returned -1 [0065.158] lstrcmpW (lpString1="HWRCustomization", lpString2="Temp") returned -1 [0065.158] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="HWRCustomization" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization" [0065.158] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*" [0065.158] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4bd8 [0065.158] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.158] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.158] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.159] FindClose (in: hFindFile=0x4d4bd8 | out: hFindFile=0x4d4bd8) returned 1 [0065.159] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.159] lstrcmpW (lpString1="hwrenalm.dat", lpString2="..") returned 1 [0065.159] lstrcmpW (lpString1="hwrenalm.dat", lpString2=".") returned 1 [0065.159] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Windows") returned -1 [0065.159] lstrcmpW (lpString1="hwrenalm.dat", lpString2="MSOCache") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="PerfLogs") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="DVD Maker") returned 1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Internet Explorer") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Reference Assemblies") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Windows Defender") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Windows Mail") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Windows Media Player") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Windows NT") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Windows Sidebar") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Startup") returned -1 [0065.160] lstrcmpW (lpString1="hwrenalm.dat", lpString2="Temp") returned -1 [0065.160] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwrenalm.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenalm.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenalm.dat" [0065.160] PathFindExtensionW (pszPath="hwrenalm.dat") returned=".dat" [0065.160] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.160] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="..") returned 1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2=".") returned 1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Windows") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="MSOCache") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="PerfLogs") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="DVD Maker") returned 1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Internet Explorer") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Reference Assemblies") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Windows Defender") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Windows Mail") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Windows Media Player") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Windows NT") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Windows Sidebar") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Startup") returned -1 [0065.161] lstrcmpW (lpString1="hwrenclm.dat", lpString2="Temp") returned -1 [0065.161] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwrenclm.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" [0065.161] PathFindExtensionW (pszPath="hwrenclm.dat") returned=".dat" [0065.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.162] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="..") returned 1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2=".") returned 1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Windows") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="MSOCache") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="PerfLogs") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="DVD Maker") returned 1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Internet Explorer") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Reference Assemblies") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Windows Defender") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Windows Mail") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Windows Media Player") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Windows NT") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Windows Sidebar") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Startup") returned -1 [0065.162] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="Temp") returned -1 [0065.162] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwrlatinlm.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" [0065.162] PathFindExtensionW (pszPath="hwrlatinlm.dat") returned=".dat" [0065.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.163] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="..") returned 1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2=".") returned 1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Windows") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="MSOCache") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="PerfLogs") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="DVD Maker") returned 1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Internet Explorer") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Reference Assemblies") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Windows Defender") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Windows Mail") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Windows Media Player") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Windows NT") returned -1 [0065.163] lstrcmpW (lpString1="hwruklm.dat", lpString2="Windows Sidebar") returned -1 [0065.164] lstrcmpW (lpString1="hwruklm.dat", lpString2="Startup") returned -1 [0065.164] lstrcmpW (lpString1="hwruklm.dat", lpString2="Temp") returned -1 [0065.164] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwruklm.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwruklm.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwruklm.dat" [0065.164] PathFindExtensionW (pszPath="hwruklm.dat") returned=".dat" [0065.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.164] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.164] lstrcmpW (lpString1="hwruksh.dat", lpString2="..") returned 1 [0065.164] lstrcmpW (lpString1="hwruksh.dat", lpString2=".") returned 1 [0065.164] lstrcmpW (lpString1="hwruksh.dat", lpString2="Windows") returned -1 [0065.164] lstrcmpW (lpString1="hwruksh.dat", lpString2="MSOCache") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="PerfLogs") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="DVD Maker") returned 1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Internet Explorer") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Reference Assemblies") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Windows Defender") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Windows Mail") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Windows Media Player") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Windows NT") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Windows Sidebar") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Startup") returned -1 [0065.165] lstrcmpW (lpString1="hwruksh.dat", lpString2="Temp") returned -1 [0065.165] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwruksh.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwruksh.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwruksh.dat" [0065.165] PathFindExtensionW (pszPath="hwruksh.dat") returned=".dat" [0065.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.165] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.165] lstrcmpW (lpString1="hwrusalm.dat", lpString2="..") returned 1 [0065.165] lstrcmpW (lpString1="hwrusalm.dat", lpString2=".") returned 1 [0065.165] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Windows") returned -1 [0065.165] lstrcmpW (lpString1="hwrusalm.dat", lpString2="MSOCache") returned -1 [0065.165] lstrcmpW (lpString1="hwrusalm.dat", lpString2="PerfLogs") returned -1 [0065.165] lstrcmpW (lpString1="hwrusalm.dat", lpString2="DVD Maker") returned 1 [0065.165] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Internet Explorer") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Reference Assemblies") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Windows Defender") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Windows Mail") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Windows Media Player") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Windows NT") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Windows Sidebar") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Startup") returned -1 [0065.166] lstrcmpW (lpString1="hwrusalm.dat", lpString2="Temp") returned -1 [0065.166] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwrusalm.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" [0065.166] PathFindExtensionW (pszPath="hwrusalm.dat") returned=".dat" [0065.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.167] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="..") returned 1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2=".") returned 1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Windows") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="MSOCache") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="PerfLogs") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="DVD Maker") returned 1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Internet Explorer") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Reference Assemblies") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Windows Defender") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Windows Mail") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Windows Media Player") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Windows NT") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Windows Sidebar") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Startup") returned -1 [0065.167] lstrcmpW (lpString1="hwrusash.dat", lpString2="Temp") returned -1 [0065.167] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="hwrusash.dat" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" [0065.167] PathFindExtensionW (pszPath="hwrusash.dat") returned=".dat" [0065.167] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.167] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.167] lstrcmpW (lpString1="InkDiv.dll", lpString2="..") returned 1 [0065.167] lstrcmpW (lpString1="InkDiv.dll", lpString2=".") returned 1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Windows") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="MSOCache") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="PerfLogs") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="DVD Maker") returned 1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Internet Explorer") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Reference Assemblies") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Windows Defender") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Windows Mail") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Windows Media Player") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Windows NT") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Windows Sidebar") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Startup") returned -1 [0065.168] lstrcmpW (lpString1="InkDiv.dll", lpString2="Temp") returned -1 [0065.168] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="InkDiv.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" [0065.168] PathFindExtensionW (pszPath="InkDiv.dll") returned=".dll" [0065.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.169] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="..") returned 1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2=".") returned 1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Windows") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="MSOCache") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="PerfLogs") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="DVD Maker") returned 1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Internet Explorer") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Reference Assemblies") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Windows Defender") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Windows Mail") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Windows Media Player") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Windows NT") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Windows Sidebar") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Startup") returned -1 [0065.169] lstrcmpW (lpString1="InkObj.dll", lpString2="Temp") returned -1 [0065.170] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="InkObj.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" [0065.170] PathFindExtensionW (pszPath="InkObj.dll") returned=".dll" [0065.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.170] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="..") returned 1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2=".") returned 1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Windows") returned -1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="MSOCache") returned -1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="PerfLogs") returned -1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="DVD Maker") returned 1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Internet Explorer") returned -1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Reference Assemblies") returned -1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Windows Defender") returned -1 [0065.170] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Windows Mail") returned -1 [0065.171] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Windows Media Player") returned -1 [0065.171] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Windows NT") returned -1 [0065.171] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Windows Sidebar") returned -1 [0065.171] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Startup") returned -1 [0065.171] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="Temp") returned -1 [0065.171] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="InputPersonalization.exe" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" [0065.171] PathFindExtensionW (pszPath="InputPersonalization.exe") returned=".exe" [0065.171] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.174] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.174] lstrcmpW (lpString1="ipsar.xml", lpString2="..") returned 1 [0065.174] lstrcmpW (lpString1="ipsar.xml", lpString2=".") returned 1 [0065.174] lstrcmpW (lpString1="ipsar.xml", lpString2="Windows") returned -1 [0065.174] lstrcmpW (lpString1="ipsar.xml", lpString2="MSOCache") returned -1 [0065.174] lstrcmpW (lpString1="ipsar.xml", lpString2="PerfLogs") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="DVD Maker") returned 1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Internet Explorer") returned 1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Reference Assemblies") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Windows Defender") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Windows Mail") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Windows Media Player") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Windows NT") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Windows Sidebar") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Startup") returned -1 [0065.175] lstrcmpW (lpString1="ipsar.xml", lpString2="Temp") returned -1 [0065.175] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsar.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" [0065.175] PathFindExtensionW (pszPath="ipsar.xml") returned=".xml" [0065.175] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsar.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsar.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.176] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="..") returned 1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2=".") returned 1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Windows") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="MSOCache") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="PerfLogs") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="DVD Maker") returned 1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Internet Explorer") returned 1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Reference Assemblies") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Windows Defender") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Windows Mail") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Windows Media Player") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Windows NT") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Windows Sidebar") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Startup") returned -1 [0065.176] lstrcmpW (lpString1="ipscat.xml", lpString2="Temp") returned -1 [0065.177] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipscat.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" [0065.177] PathFindExtensionW (pszPath="ipscat.xml") returned=".xml" [0065.177] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.177] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="..") returned 1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2=".") returned 1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Windows") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="MSOCache") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="PerfLogs") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="DVD Maker") returned 1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Internet Explorer") returned 1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Reference Assemblies") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Windows Defender") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Windows Mail") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Windows Media Player") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Windows NT") returned -1 [0065.184] lstrcmpW (lpString1="ipschs.xml", lpString2="Windows Sidebar") returned -1 [0065.185] lstrcmpW (lpString1="ipschs.xml", lpString2="Startup") returned -1 [0065.185] lstrcmpW (lpString1="ipschs.xml", lpString2="Temp") returned -1 [0065.185] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipschs.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" [0065.185] PathFindExtensionW (pszPath="ipschs.xml") returned=".xml" [0065.185] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.185] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="..") returned 1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2=".") returned 1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Windows") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="MSOCache") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="PerfLogs") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="DVD Maker") returned 1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Internet Explorer") returned 1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Reference Assemblies") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Windows Defender") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Windows Mail") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Windows Media Player") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Windows NT") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Windows Sidebar") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Startup") returned -1 [0065.185] lstrcmpW (lpString1="ipscht.xml", lpString2="Temp") returned -1 [0065.186] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipscht.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" [0065.186] PathFindExtensionW (pszPath="ipscht.xml") returned=".xml" [0065.186] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.186] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="..") returned 1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2=".") returned 1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Windows") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="MSOCache") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="PerfLogs") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="DVD Maker") returned 1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Internet Explorer") returned 1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Reference Assemblies") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Windows Defender") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Windows Mail") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Windows Media Player") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Windows NT") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Windows Sidebar") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Startup") returned -1 [0065.186] lstrcmpW (lpString1="ipscsy.xml", lpString2="Temp") returned -1 [0065.186] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipscsy.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" [0065.186] PathFindExtensionW (pszPath="ipscsy.xml") returned=".xml" [0065.186] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.187] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="..") returned 1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2=".") returned 1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Windows") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="MSOCache") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="PerfLogs") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="DVD Maker") returned 1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Internet Explorer") returned 1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Reference Assemblies") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Windows Defender") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Windows Mail") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Windows Media Player") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Windows NT") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Windows Sidebar") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Startup") returned -1 [0065.187] lstrcmpW (lpString1="ipsdan.xml", lpString2="Temp") returned -1 [0065.187] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsdan.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" [0065.187] PathFindExtensionW (pszPath="ipsdan.xml") returned=".xml" [0065.187] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.188] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="..") returned 1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2=".") returned 1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Windows") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="MSOCache") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="PerfLogs") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="DVD Maker") returned 1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Internet Explorer") returned 1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Reference Assemblies") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Windows Defender") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Windows Mail") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Windows Media Player") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Windows NT") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Windows Sidebar") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Startup") returned -1 [0065.188] lstrcmpW (lpString1="ipsdeu.xml", lpString2="Temp") returned -1 [0065.188] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsdeu.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" [0065.188] PathFindExtensionW (pszPath="ipsdeu.xml") returned=".xml" [0065.188] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.189] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="..") returned 1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2=".") returned 1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Windows") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="MSOCache") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="PerfLogs") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="DVD Maker") returned 1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Internet Explorer") returned 1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Reference Assemblies") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Windows Defender") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Windows Mail") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Windows Media Player") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Windows NT") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Windows Sidebar") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Startup") returned -1 [0065.189] lstrcmpW (lpString1="ipsel.xml", lpString2="Temp") returned -1 [0065.189] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsel.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" [0065.190] PathFindExtensionW (pszPath="ipsel.xml") returned=".xml" [0065.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsel.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsel.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.190] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="..") returned 1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2=".") returned 1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Windows") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="MSOCache") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="PerfLogs") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="DVD Maker") returned 1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Internet Explorer") returned 1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Reference Assemblies") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Windows Defender") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Windows Mail") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Windows Media Player") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Windows NT") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Windows Sidebar") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Startup") returned -1 [0065.190] lstrcmpW (lpString1="ipsen.xml", lpString2="Temp") returned -1 [0065.191] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsen.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" [0065.191] PathFindExtensionW (pszPath="ipsen.xml") returned=".xml" [0065.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.191] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="..") returned 1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2=".") returned 1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Windows") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="MSOCache") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="PerfLogs") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="DVD Maker") returned 1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Internet Explorer") returned 1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Reference Assemblies") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Windows Defender") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Windows Mail") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Windows Media Player") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Windows NT") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Windows Sidebar") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Startup") returned -1 [0065.191] lstrcmpW (lpString1="ipsesp.xml", lpString2="Temp") returned -1 [0065.191] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsesp.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" [0065.191] PathFindExtensionW (pszPath="ipsesp.xml") returned=".xml" [0065.192] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.192] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="..") returned 1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2=".") returned 1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Windows") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="MSOCache") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="PerfLogs") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="DVD Maker") returned 1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Internet Explorer") returned 1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Reference Assemblies") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Windows Defender") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Windows Mail") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Windows Media Player") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Windows NT") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Windows Sidebar") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Startup") returned -1 [0065.192] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="Temp") returned -1 [0065.192] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="IPSEventLogMsg.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" [0065.192] PathFindExtensionW (pszPath="IPSEventLogMsg.dll") returned=".dll" [0065.192] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.193] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="..") returned 1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2=".") returned 1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Windows") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="MSOCache") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="PerfLogs") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="DVD Maker") returned 1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Internet Explorer") returned 1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Reference Assemblies") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Windows Defender") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Windows Mail") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Windows Media Player") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Windows NT") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Windows Sidebar") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Startup") returned -1 [0065.193] lstrcmpW (lpString1="ipsfin.xml", lpString2="Temp") returned -1 [0065.193] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsfin.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" [0065.194] PathFindExtensionW (pszPath="ipsfin.xml") returned=".xml" [0065.194] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.194] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="..") returned 1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2=".") returned 1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Windows") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="MSOCache") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="PerfLogs") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="DVD Maker") returned 1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Internet Explorer") returned 1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Reference Assemblies") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Windows Defender") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Windows Mail") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Windows Media Player") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Windows NT") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Windows Sidebar") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Startup") returned -1 [0065.194] lstrcmpW (lpString1="ipsfra.xml", lpString2="Temp") returned -1 [0065.194] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsfra.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" [0065.194] PathFindExtensionW (pszPath="ipsfra.xml") returned=".xml" [0065.194] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.195] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="..") returned 1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2=".") returned 1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Windows") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="MSOCache") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="PerfLogs") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="DVD Maker") returned 1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Internet Explorer") returned 1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Reference Assemblies") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Windows Defender") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Windows Mail") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Windows Media Player") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Windows NT") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Windows Sidebar") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Startup") returned -1 [0065.195] lstrcmpW (lpString1="ipshe.xml", lpString2="Temp") returned -1 [0065.195] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipshe.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" [0065.195] PathFindExtensionW (pszPath="ipshe.xml") returned=".xml" [0065.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshe.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshe.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.196] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="..") returned 1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2=".") returned 1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Windows") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="MSOCache") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="PerfLogs") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="DVD Maker") returned 1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Internet Explorer") returned 1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Reference Assemblies") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Windows Defender") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Windows Mail") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Windows Media Player") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Windows NT") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Windows Sidebar") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Startup") returned -1 [0065.196] lstrcmpW (lpString1="ipshi.xml", lpString2="Temp") returned -1 [0065.196] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipshi.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" [0065.196] PathFindExtensionW (pszPath="ipshi.xml") returned=".xml" [0065.196] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.197] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="..") returned 1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2=".") returned 1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="Windows") returned -1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="MSOCache") returned -1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="PerfLogs") returned -1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="DVD Maker") returned 1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="Internet Explorer") returned 1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="Reference Assemblies") returned -1 [0065.197] lstrcmpW (lpString1="ipshrv.xml", lpString2="Windows Defender") returned -1 [0065.198] lstrcmpW (lpString1="ipshrv.xml", lpString2="Windows Mail") returned -1 [0065.198] lstrcmpW (lpString1="ipshrv.xml", lpString2="Windows Media Player") returned -1 [0065.198] lstrcmpW (lpString1="ipshrv.xml", lpString2="Windows NT") returned -1 [0065.198] lstrcmpW (lpString1="ipshrv.xml", lpString2="Windows Sidebar") returned -1 [0065.198] lstrcmpW (lpString1="ipshrv.xml", lpString2="Startup") returned -1 [0065.198] lstrcmpW (lpString1="ipshrv.xml", lpString2="Temp") returned -1 [0065.198] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipshrv.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" [0065.198] PathFindExtensionW (pszPath="ipshrv.xml") returned=".xml" [0065.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.198] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.198] lstrcmpW (lpString1="ipsid.xml", lpString2="..") returned 1 [0065.198] lstrcmpW (lpString1="ipsid.xml", lpString2=".") returned 1 [0065.198] lstrcmpW (lpString1="ipsid.xml", lpString2="Windows") returned -1 [0065.198] lstrcmpW (lpString1="ipsid.xml", lpString2="MSOCache") returned -1 [0065.198] lstrcmpW (lpString1="ipsid.xml", lpString2="PerfLogs") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="DVD Maker") returned 1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Internet Explorer") returned 1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Reference Assemblies") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Windows Defender") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Windows Mail") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Windows Media Player") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Windows NT") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Windows Sidebar") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Startup") returned -1 [0065.199] lstrcmpW (lpString1="ipsid.xml", lpString2="Temp") returned -1 [0065.199] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsid.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" [0065.199] PathFindExtensionW (pszPath="ipsid.xml") returned=".xml" [0065.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsid.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsid.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.199] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.199] lstrcmpW (lpString1="ipsita.xml", lpString2="..") returned 1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2=".") returned 1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Windows") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="MSOCache") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="PerfLogs") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="DVD Maker") returned 1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Internet Explorer") returned 1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Reference Assemblies") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Windows Defender") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Windows Mail") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Windows Media Player") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Windows NT") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Windows Sidebar") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Startup") returned -1 [0065.200] lstrcmpW (lpString1="ipsita.xml", lpString2="Temp") returned -1 [0065.200] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsita.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" [0065.201] PathFindExtensionW (pszPath="ipsita.xml") returned=".xml" [0065.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.201] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="..") returned 1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2=".") returned 1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Windows") returned -1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="MSOCache") returned -1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="PerfLogs") returned -1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="DVD Maker") returned 1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Internet Explorer") returned 1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Reference Assemblies") returned -1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Windows Defender") returned -1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Windows Mail") returned -1 [0065.201] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Windows Media Player") returned -1 [0065.202] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Windows NT") returned -1 [0065.202] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Windows Sidebar") returned -1 [0065.202] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Startup") returned -1 [0065.202] lstrcmpW (lpString1="ipsjpn.xml", lpString2="Temp") returned -1 [0065.202] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsjpn.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" [0065.202] PathFindExtensionW (pszPath="ipsjpn.xml") returned=".xml" [0065.202] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.203] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="..") returned 1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2=".") returned 1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Windows") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="MSOCache") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="PerfLogs") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="DVD Maker") returned 1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Internet Explorer") returned 1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Reference Assemblies") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Windows Defender") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Windows Mail") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Windows Media Player") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Windows NT") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Windows Sidebar") returned -1 [0065.203] lstrcmpW (lpString1="ipskor.xml", lpString2="Startup") returned -1 [0065.204] lstrcmpW (lpString1="ipskor.xml", lpString2="Temp") returned -1 [0065.204] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipskor.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" [0065.204] PathFindExtensionW (pszPath="ipskor.xml") returned=".xml" [0065.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.204] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.204] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="..") returned 1 [0065.204] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2=".") returned 1 [0065.204] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows") returned -1 [0065.204] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="MSOCache") returned -1 [0065.204] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="PerfLogs") returned -1 [0065.206] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="DVD Maker") returned 1 [0065.206] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Internet Explorer") returned 1 [0065.206] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Reference Assemblies") returned -1 [0065.206] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows Defender") returned -1 [0065.207] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows Mail") returned -1 [0065.207] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows Media Player") returned -1 [0065.207] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows NT") returned -1 [0065.207] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows Sidebar") returned -1 [0065.207] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Startup") returned -1 [0065.207] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="Temp") returned -1 [0065.207] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="IpsMigrationPlugin.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" [0065.207] PathFindExtensionW (pszPath="IpsMigrationPlugin.dll") returned=".dll" [0065.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.207] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.207] lstrcmpW (lpString1="ipsnld.xml", lpString2="..") returned 1 [0065.207] lstrcmpW (lpString1="ipsnld.xml", lpString2=".") returned 1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Windows") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="MSOCache") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="PerfLogs") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="DVD Maker") returned 1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Internet Explorer") returned 1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Reference Assemblies") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Windows Defender") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Windows Mail") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Windows Media Player") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Windows NT") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Windows Sidebar") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Startup") returned -1 [0065.208] lstrcmpW (lpString1="ipsnld.xml", lpString2="Temp") returned -1 [0065.208] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsnld.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" [0065.208] PathFindExtensionW (pszPath="ipsnld.xml") returned=".xml" [0065.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.208] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.208] lstrcmpW (lpString1="ipsnor.xml", lpString2="..") returned 1 [0065.208] lstrcmpW (lpString1="ipsnor.xml", lpString2=".") returned 1 [0065.208] lstrcmpW (lpString1="ipsnor.xml", lpString2="Windows") returned -1 [0065.208] lstrcmpW (lpString1="ipsnor.xml", lpString2="MSOCache") returned -1 [0065.208] lstrcmpW (lpString1="ipsnor.xml", lpString2="PerfLogs") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="DVD Maker") returned 1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Internet Explorer") returned 1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Reference Assemblies") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Windows Defender") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Windows Mail") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Windows Media Player") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Windows NT") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Windows Sidebar") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Startup") returned -1 [0065.209] lstrcmpW (lpString1="ipsnor.xml", lpString2="Temp") returned -1 [0065.209] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsnor.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" [0065.209] PathFindExtensionW (pszPath="ipsnor.xml") returned=".xml" [0065.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.209] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.209] lstrcmpW (lpString1="ipsplk.xml", lpString2="..") returned 1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2=".") returned 1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Windows") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="MSOCache") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="PerfLogs") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="DVD Maker") returned 1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Internet Explorer") returned 1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Reference Assemblies") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Windows Defender") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Windows Mail") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Windows Media Player") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Windows NT") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Windows Sidebar") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Startup") returned -1 [0065.210] lstrcmpW (lpString1="ipsplk.xml", lpString2="Temp") returned -1 [0065.210] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsplk.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" [0065.210] PathFindExtensionW (pszPath="ipsplk.xml") returned=".xml" [0065.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.211] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="..") returned 1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2=".") returned 1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Windows") returned -1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="MSOCache") returned -1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="PerfLogs") returned -1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="DVD Maker") returned 1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Internet Explorer") returned 1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Reference Assemblies") returned -1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Windows Defender") returned -1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Windows Mail") returned -1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Windows Media Player") returned -1 [0065.211] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Windows NT") returned -1 [0065.212] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Windows Sidebar") returned -1 [0065.212] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Startup") returned -1 [0065.212] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="Temp") returned -1 [0065.212] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="IpsPlugin.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll" [0065.212] PathFindExtensionW (pszPath="IpsPlugin.dll") returned=".dll" [0065.212] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.213] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="..") returned 1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2=".") returned 1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="Windows") returned -1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="MSOCache") returned -1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="PerfLogs") returned -1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="DVD Maker") returned 1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="Internet Explorer") returned 1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="Reference Assemblies") returned -1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="Windows Defender") returned -1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="Windows Mail") returned -1 [0065.213] lstrcmpW (lpString1="ipsptb.xml", lpString2="Windows Media Player") returned -1 [0065.214] lstrcmpW (lpString1="ipsptb.xml", lpString2="Windows NT") returned -1 [0065.214] lstrcmpW (lpString1="ipsptb.xml", lpString2="Windows Sidebar") returned -1 [0065.214] lstrcmpW (lpString1="ipsptb.xml", lpString2="Startup") returned -1 [0065.214] lstrcmpW (lpString1="ipsptb.xml", lpString2="Temp") returned -1 [0065.214] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsptb.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" [0065.214] PathFindExtensionW (pszPath="ipsptb.xml") returned=".xml" [0065.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.214] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.214] lstrcmpW (lpString1="ipsptg.xml", lpString2="..") returned 1 [0065.214] lstrcmpW (lpString1="ipsptg.xml", lpString2=".") returned 1 [0065.214] lstrcmpW (lpString1="ipsptg.xml", lpString2="Windows") returned -1 [0065.214] lstrcmpW (lpString1="ipsptg.xml", lpString2="MSOCache") returned -1 [0065.214] lstrcmpW (lpString1="ipsptg.xml", lpString2="PerfLogs") returned -1 [0065.214] lstrcmpW (lpString1="ipsptg.xml", lpString2="DVD Maker") returned 1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Internet Explorer") returned 1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Reference Assemblies") returned -1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Windows Defender") returned -1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Windows Mail") returned -1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Windows Media Player") returned -1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Windows NT") returned -1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Windows Sidebar") returned -1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Startup") returned -1 [0065.215] lstrcmpW (lpString1="ipsptg.xml", lpString2="Temp") returned -1 [0065.215] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsptg.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" [0065.215] PathFindExtensionW (pszPath="ipsptg.xml") returned=".xml" [0065.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.216] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2="..") returned 1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2=".") returned 1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2="Windows") returned -1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2="MSOCache") returned -1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2="PerfLogs") returned -1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2="DVD Maker") returned 1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2="Internet Explorer") returned 1 [0065.216] lstrcmpW (lpString1="ipsrom.xml", lpString2="Reference Assemblies") returned -1 [0065.217] lstrcmpW (lpString1="ipsrom.xml", lpString2="Windows Defender") returned -1 [0065.217] lstrcmpW (lpString1="ipsrom.xml", lpString2="Windows Mail") returned -1 [0065.217] lstrcmpW (lpString1="ipsrom.xml", lpString2="Windows Media Player") returned -1 [0065.217] lstrcmpW (lpString1="ipsrom.xml", lpString2="Windows NT") returned -1 [0065.217] lstrcmpW (lpString1="ipsrom.xml", lpString2="Windows Sidebar") returned -1 [0065.217] lstrcmpW (lpString1="ipsrom.xml", lpString2="Startup") returned -1 [0065.217] lstrcmpW (lpString1="ipsrom.xml", lpString2="Temp") returned -1 [0065.217] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsrom.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" [0065.217] PathFindExtensionW (pszPath="ipsrom.xml") returned=".xml" [0065.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.217] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.217] lstrcmpW (lpString1="ipsrus.xml", lpString2="..") returned 1 [0065.217] lstrcmpW (lpString1="ipsrus.xml", lpString2=".") returned 1 [0065.217] lstrcmpW (lpString1="ipsrus.xml", lpString2="Windows") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="MSOCache") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="PerfLogs") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="DVD Maker") returned 1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Internet Explorer") returned 1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Reference Assemblies") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Windows Defender") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Windows Mail") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Windows Media Player") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Windows NT") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Windows Sidebar") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Startup") returned -1 [0065.218] lstrcmpW (lpString1="ipsrus.xml", lpString2="Temp") returned -1 [0065.218] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipsrus.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" [0065.218] PathFindExtensionW (pszPath="ipsrus.xml") returned=".xml" [0065.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.219] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="..") returned 1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2=".") returned 1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Windows") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="MSOCache") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="PerfLogs") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="DVD Maker") returned 1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Internet Explorer") returned 1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Reference Assemblies") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Windows Defender") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Windows Mail") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Windows Media Player") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Windows NT") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Windows Sidebar") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Startup") returned -1 [0065.219] lstrcmpW (lpString1="ipssrb.xml", lpString2="Temp") returned -1 [0065.219] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipssrb.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" [0065.220] PathFindExtensionW (pszPath="ipssrb.xml") returned=".xml" [0065.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.220] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="..") returned 1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2=".") returned 1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Windows") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="MSOCache") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="PerfLogs") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="DVD Maker") returned 1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Internet Explorer") returned 1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Reference Assemblies") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Windows Defender") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Windows Mail") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Windows Media Player") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Windows NT") returned -1 [0065.220] lstrcmpW (lpString1="ipssrl.xml", lpString2="Windows Sidebar") returned -1 [0065.221] lstrcmpW (lpString1="ipssrl.xml", lpString2="Startup") returned -1 [0065.221] lstrcmpW (lpString1="ipssrl.xml", lpString2="Temp") returned -1 [0065.221] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipssrl.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" [0065.221] PathFindExtensionW (pszPath="ipssrl.xml") returned=".xml" [0065.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.221] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="..") returned 1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2=".") returned 1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="Windows") returned -1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="MSOCache") returned -1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="PerfLogs") returned -1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="DVD Maker") returned 1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="Internet Explorer") returned 1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="Reference Assemblies") returned -1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="Windows Defender") returned -1 [0065.221] lstrcmpW (lpString1="ipssve.xml", lpString2="Windows Mail") returned -1 [0065.222] lstrcmpW (lpString1="ipssve.xml", lpString2="Windows Media Player") returned -1 [0065.222] lstrcmpW (lpString1="ipssve.xml", lpString2="Windows NT") returned -1 [0065.222] lstrcmpW (lpString1="ipssve.xml", lpString2="Windows Sidebar") returned -1 [0065.222] lstrcmpW (lpString1="ipssve.xml", lpString2="Startup") returned -1 [0065.222] lstrcmpW (lpString1="ipssve.xml", lpString2="Temp") returned -1 [0065.222] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipssve.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" [0065.222] PathFindExtensionW (pszPath="ipssve.xml") returned=".xml" [0065.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.222] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.222] lstrcmpW (lpString1="ipstr.xml", lpString2="..") returned 1 [0065.222] lstrcmpW (lpString1="ipstr.xml", lpString2=".") returned 1 [0065.222] lstrcmpW (lpString1="ipstr.xml", lpString2="Windows") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="MSOCache") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="PerfLogs") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="DVD Maker") returned 1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Internet Explorer") returned 1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Reference Assemblies") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Windows Defender") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Windows Mail") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Windows Media Player") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Windows NT") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Windows Sidebar") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Startup") returned -1 [0065.223] lstrcmpW (lpString1="ipstr.xml", lpString2="Temp") returned -1 [0065.223] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ipstr.xml" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" [0065.223] PathFindExtensionW (pszPath="ipstr.xml") returned=".xml" [0065.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipstr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipstr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.224] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Windows") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="MSOCache") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="PerfLogs") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="DVD Maker") returned 1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Internet Explorer") returned 1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Reference Assemblies") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Windows Defender") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Windows Mail") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Windows Media Player") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Windows NT") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Windows Sidebar") returned -1 [0065.224] lstrcmpW (lpString1="it-IT", lpString2="Startup") returned -1 [0065.225] lstrcmpW (lpString1="it-IT", lpString2="Temp") returned -1 [0065.225] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="it-IT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT" [0065.225] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\*.*" [0065.225] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4a58 [0065.226] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.226] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.226] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.227] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.227] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.227] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.227] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.227] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" [0065.227] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.227] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.227] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.227] FindClose (in: hFindFile=0x4d4a58 | out: hFindFile=0x4d4a58) returned 1 [0065.227] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.227] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0065.227] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0065.227] lstrcmpW (lpString1="ja-JP", lpString2="Windows") returned -1 [0065.227] lstrcmpW (lpString1="ja-JP", lpString2="MSOCache") returned -1 [0065.227] lstrcmpW (lpString1="ja-JP", lpString2="PerfLogs") returned -1 [0065.227] lstrcmpW (lpString1="ja-JP", lpString2="DVD Maker") returned 1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Internet Explorer") returned 1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Reference Assemblies") returned -1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Windows Defender") returned -1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Windows Mail") returned -1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Windows Media Player") returned -1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Windows NT") returned -1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Windows Sidebar") returned -1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Startup") returned -1 [0065.228] lstrcmpW (lpString1="ja-JP", lpString2="Temp") returned -1 [0065.228] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ja-JP" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP" [0065.228] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\*.*" [0065.228] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4d18 [0065.228] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.228] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.228] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.228] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.228] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.228] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.229] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.229] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" [0065.229] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.230] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.230] FindClose (in: hFindFile=0x4d4d18 | out: hFindFile=0x4d4d18) returned 1 [0065.230] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="..") returned 1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2=".") returned 1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Windows") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="MSOCache") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="PerfLogs") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="DVD Maker") returned 1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Internet Explorer") returned 1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Reference Assemblies") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Windows Defender") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Windows Mail") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Windows Media Player") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Windows NT") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Windows Sidebar") returned -1 [0065.230] lstrcmpW (lpString1="journal.dll", lpString2="Startup") returned -1 [0065.231] lstrcmpW (lpString1="journal.dll", lpString2="Temp") returned -1 [0065.231] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="journal.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\journal.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\journal.dll" [0065.231] PathFindExtensionW (pszPath="journal.dll") returned=".dll" [0065.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.231] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Windows") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="MSOCache") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="PerfLogs") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="DVD Maker") returned 1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Internet Explorer") returned 1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Reference Assemblies") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Windows Defender") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Windows Mail") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Windows Media Player") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Windows NT") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Windows Sidebar") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Startup") returned -1 [0065.231] lstrcmpW (lpString1="ko-KR", lpString2="Temp") returned -1 [0065.232] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ko-KR" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR" [0065.232] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\*.*" [0065.232] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d49d8 [0065.232] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.232] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.232] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.232] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.233] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.233] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" [0065.233] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.233] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.244] FindNextFileW (in: hFindFile=0x4d49d8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.244] FindClose (in: hFindFile=0x4d49d8 | out: hFindFile=0x4d49d8) returned 1 [0065.244] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2="..") returned 1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2=".") returned 1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2="Windows") returned -1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2="MSOCache") returned -1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2="PerfLogs") returned -1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2="DVD Maker") returned 1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2="Internet Explorer") returned 1 [0065.244] lstrcmpW (lpString1="lt-LT", lpString2="Reference Assemblies") returned -1 [0065.245] lstrcmpW (lpString1="lt-LT", lpString2="Windows Defender") returned -1 [0065.245] lstrcmpW (lpString1="lt-LT", lpString2="Windows Mail") returned -1 [0065.245] lstrcmpW (lpString1="lt-LT", lpString2="Windows Media Player") returned -1 [0065.245] lstrcmpW (lpString1="lt-LT", lpString2="Windows NT") returned -1 [0065.245] lstrcmpW (lpString1="lt-LT", lpString2="Windows Sidebar") returned -1 [0065.245] lstrcmpW (lpString1="lt-LT", lpString2="Startup") returned -1 [0065.245] lstrcmpW (lpString1="lt-LT", lpString2="Temp") returned -1 [0065.245] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="lt-LT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT" [0065.245] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\*.*" [0065.245] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4a58 [0065.245] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.246] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.246] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.246] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.247] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" [0065.247] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.247] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.247] FindClose (in: hFindFile=0x4d4a58 | out: hFindFile=0x4d4a58) returned 1 [0065.247] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.247] lstrcmpW (lpString1="lv-LV", lpString2="..") returned 1 [0065.247] lstrcmpW (lpString1="lv-LV", lpString2=".") returned 1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Windows") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="MSOCache") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="PerfLogs") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="DVD Maker") returned 1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Internet Explorer") returned 1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Reference Assemblies") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Windows Defender") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Windows Mail") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Windows Media Player") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Windows NT") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Windows Sidebar") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Startup") returned -1 [0065.248] lstrcmpW (lpString1="lv-LV", lpString2="Temp") returned -1 [0065.248] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="lv-LV" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV" [0065.248] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\*.*" [0065.248] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4a18 [0065.249] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.249] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.250] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.250] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" [0065.250] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.251] FindNextFileW (in: hFindFile=0x4d4a18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.251] FindClose (in: hFindFile=0x4d4a18 | out: hFindFile=0x4d4a18) returned 1 [0065.251] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="..") returned 1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2=".") returned 1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="Windows") returned -1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="MSOCache") returned -1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="PerfLogs") returned -1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="DVD Maker") returned 1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="Internet Explorer") returned 1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="Reference Assemblies") returned -1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="Windows Defender") returned -1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="Windows Mail") returned -1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="Windows Media Player") returned -1 [0065.251] lstrcmpW (lpString1="micaut.dll", lpString2="Windows NT") returned -1 [0065.252] lstrcmpW (lpString1="micaut.dll", lpString2="Windows Sidebar") returned -1 [0065.252] lstrcmpW (lpString1="micaut.dll", lpString2="Startup") returned -1 [0065.252] lstrcmpW (lpString1="micaut.dll", lpString2="Temp") returned -1 [0065.252] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="micaut.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" [0065.252] PathFindExtensionW (pszPath="micaut.dll") returned=".dll" [0065.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.252] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="..") returned 1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2=".") returned 1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Windows") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="MSOCache") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="PerfLogs") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="DVD Maker") returned 1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Internet Explorer") returned 1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Reference Assemblies") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Windows Defender") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Windows Mail") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Windows Media Player") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Windows NT") returned -1 [0065.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Windows Sidebar") returned -1 [0065.253] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Startup") returned -1 [0065.253] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="Temp") returned -1 [0065.253] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="Microsoft.Ink.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" [0065.253] PathFindExtensionW (pszPath="Microsoft.Ink.dll") returned=".dll" [0065.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.254] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="..") returned 1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2=".") returned 1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Windows") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="MSOCache") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="PerfLogs") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="DVD Maker") returned 1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Internet Explorer") returned 1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Reference Assemblies") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Windows Defender") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Windows Mail") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Windows Media Player") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Windows NT") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Windows Sidebar") returned -1 [0065.254] lstrcmpW (lpString1="mip.exe", lpString2="Startup") returned -1 [0065.256] lstrcmpW (lpString1="mip.exe", lpString2="Temp") returned -1 [0065.257] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="mip.exe" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" [0065.257] PathFindExtensionW (pszPath="mip.exe") returned=".exe" [0065.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.257] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.257] lstrcmpW (lpString1="mraut.dll", lpString2="..") returned 1 [0065.257] lstrcmpW (lpString1="mraut.dll", lpString2=".") returned 1 [0065.257] lstrcmpW (lpString1="mraut.dll", lpString2="Windows") returned -1 [0065.257] lstrcmpW (lpString1="mraut.dll", lpString2="MSOCache") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="PerfLogs") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="DVD Maker") returned 1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Internet Explorer") returned 1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Reference Assemblies") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Windows Defender") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Windows Mail") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Windows Media Player") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Windows NT") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Windows Sidebar") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Startup") returned -1 [0065.258] lstrcmpW (lpString1="mraut.dll", lpString2="Temp") returned -1 [0065.258] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="mraut.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" [0065.258] PathFindExtensionW (pszPath="mraut.dll") returned=".dll" [0065.258] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.267] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="..") returned 1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2=".") returned 1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Windows") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="MSOCache") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="PerfLogs") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="DVD Maker") returned 1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Internet Explorer") returned 1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Reference Assemblies") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Windows Defender") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Windows Mail") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Windows Media Player") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Windows NT") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Windows Sidebar") returned -1 [0065.267] lstrcmpW (lpString1="mshwgst.dll", lpString2="Startup") returned -1 [0065.268] lstrcmpW (lpString1="mshwgst.dll", lpString2="Temp") returned -1 [0065.268] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="mshwgst.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" [0065.268] PathFindExtensionW (pszPath="mshwgst.dll") returned=".dll" [0065.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.268] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="..") returned 1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2=".") returned 1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Windows") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="MSOCache") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="PerfLogs") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="DVD Maker") returned 1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Internet Explorer") returned 1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Reference Assemblies") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Windows Defender") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Windows Mail") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Windows Media Player") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Windows NT") returned -1 [0065.268] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Windows Sidebar") returned -1 [0065.269] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Startup") returned -1 [0065.269] lstrcmpW (lpString1="mshwLatin.dll", lpString2="Temp") returned -1 [0065.269] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="mshwLatin.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" [0065.269] PathFindExtensionW (pszPath="mshwLatin.dll") returned=".dll" [0065.269] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.274] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Windows") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="MSOCache") returned 1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="PerfLogs") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="DVD Maker") returned 1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Internet Explorer") returned 1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Reference Assemblies") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Windows Defender") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Windows Mail") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Windows Media Player") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Windows NT") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Windows Sidebar") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Startup") returned -1 [0065.275] lstrcmpW (lpString1="nb-NO", lpString2="Temp") returned -1 [0065.275] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="nb-NO" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO" [0065.276] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\*.*" [0065.276] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4a58 [0065.276] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.276] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.276] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.276] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.276] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.276] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.279] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.279] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" [0065.279] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.279] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.280] FindNextFileW (in: hFindFile=0x4d4a58, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.280] FindClose (in: hFindFile=0x4d4a58 | out: hFindFile=0x4d4a58) returned 1 [0065.280] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.280] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0065.280] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0065.280] lstrcmpW (lpString1="nl-NL", lpString2="Windows") returned -1 [0065.280] lstrcmpW (lpString1="nl-NL", lpString2="MSOCache") returned 1 [0065.280] lstrcmpW (lpString1="nl-NL", lpString2="PerfLogs") returned -1 [0065.280] lstrcmpW (lpString1="nl-NL", lpString2="DVD Maker") returned 1 [0065.280] lstrcmpW (lpString1="nl-NL", lpString2="Internet Explorer") returned 1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Reference Assemblies") returned -1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Windows Defender") returned -1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Windows Mail") returned -1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Windows Media Player") returned -1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Windows NT") returned -1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Windows Sidebar") returned -1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Startup") returned -1 [0065.281] lstrcmpW (lpString1="nl-NL", lpString2="Temp") returned -1 [0065.281] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="nl-NL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL" [0065.281] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\*.*" [0065.281] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4798 [0065.281] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.281] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.281] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.281] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.281] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.281] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.281] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.282] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" [0065.282] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.282] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.282] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.282] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.282] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.282] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0065.282] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0065.282] lstrcmpW (lpString1="pl-PL", lpString2="Windows") returned -1 [0065.282] lstrcmpW (lpString1="pl-PL", lpString2="MSOCache") returned 1 [0065.282] lstrcmpW (lpString1="pl-PL", lpString2="PerfLogs") returned 1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="DVD Maker") returned 1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Internet Explorer") returned 1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Reference Assemblies") returned -1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Windows Defender") returned -1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Windows Mail") returned -1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Windows Media Player") returned -1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Windows NT") returned -1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Windows Sidebar") returned -1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Startup") returned -1 [0065.283] lstrcmpW (lpString1="pl-PL", lpString2="Temp") returned -1 [0065.283] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="pl-PL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL" [0065.283] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\*.*" [0065.283] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4958 [0065.283] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.283] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.283] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.284] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.285] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.285] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" [0065.285] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.285] FindNextFileW (in: hFindFile=0x4d4958, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.285] FindClose (in: hFindFile=0x4d4958 | out: hFindFile=0x4d4958) returned 1 [0065.285] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.285] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0065.285] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0065.285] lstrcmpW (lpString1="pt-BR", lpString2="Windows") returned -1 [0065.285] lstrcmpW (lpString1="pt-BR", lpString2="MSOCache") returned 1 [0065.285] lstrcmpW (lpString1="pt-BR", lpString2="PerfLogs") returned 1 [0065.285] lstrcmpW (lpString1="pt-BR", lpString2="DVD Maker") returned 1 [0065.285] lstrcmpW (lpString1="pt-BR", lpString2="Internet Explorer") returned 1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Reference Assemblies") returned -1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Windows Defender") returned -1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Windows Mail") returned -1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Windows Media Player") returned -1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Windows NT") returned -1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Windows Sidebar") returned -1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Startup") returned -1 [0065.286] lstrcmpW (lpString1="pt-BR", lpString2="Temp") returned -1 [0065.286] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="pt-BR" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR" [0065.286] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\*.*" [0065.286] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4dd8 [0065.287] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.287] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.288] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.288] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.288] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.288] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.288] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.288] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.288] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.288] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" [0065.288] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.288] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.288] FindClose (in: hFindFile=0x4d4dd8 | out: hFindFile=0x4d4dd8) returned 1 [0065.289] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Windows") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="MSOCache") returned 1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="PerfLogs") returned 1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="DVD Maker") returned 1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Internet Explorer") returned 1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Reference Assemblies") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Windows Defender") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Windows Mail") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Windows Media Player") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Windows NT") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Windows Sidebar") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Startup") returned -1 [0065.289] lstrcmpW (lpString1="pt-PT", lpString2="Temp") returned -1 [0065.290] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="pt-PT" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT" [0065.290] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\*.*" [0065.290] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4bd8 [0065.290] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.290] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.290] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.291] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.291] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.291] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.291] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" [0065.291] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.291] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.291] FindClose (in: hFindFile=0x4d4bd8 | out: hFindFile=0x4d4bd8) returned 1 [0065.291] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.291] lstrcmpW (lpString1="ro-RO", lpString2="..") returned 1 [0065.291] lstrcmpW (lpString1="ro-RO", lpString2=".") returned 1 [0065.291] lstrcmpW (lpString1="ro-RO", lpString2="Windows") returned -1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="MSOCache") returned 1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="PerfLogs") returned 1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="DVD Maker") returned 1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Internet Explorer") returned 1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Reference Assemblies") returned 1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Windows Defender") returned -1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Windows Mail") returned -1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Windows Media Player") returned -1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Windows NT") returned -1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Windows Sidebar") returned -1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Startup") returned -1 [0065.292] lstrcmpW (lpString1="ro-RO", lpString2="Temp") returned -1 [0065.292] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ro-RO" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO" [0065.292] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\*.*" [0065.293] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4ed8 [0065.293] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.293] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.293] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.293] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.293] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.293] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.293] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.294] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.294] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" [0065.294] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.295] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.295] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.295] FindClose (in: hFindFile=0x4d4ed8 | out: hFindFile=0x4d4ed8) returned 1 [0065.295] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.295] lstrcmpW (lpString1="rtscom.dll", lpString2="..") returned 1 [0065.295] lstrcmpW (lpString1="rtscom.dll", lpString2=".") returned 1 [0065.295] lstrcmpW (lpString1="rtscom.dll", lpString2="Windows") returned -1 [0065.295] lstrcmpW (lpString1="rtscom.dll", lpString2="MSOCache") returned 1 [0065.295] lstrcmpW (lpString1="rtscom.dll", lpString2="PerfLogs") returned 1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="DVD Maker") returned 1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Internet Explorer") returned 1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Reference Assemblies") returned 1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Windows Defender") returned -1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Windows Mail") returned -1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Windows Media Player") returned -1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Windows NT") returned -1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Windows Sidebar") returned -1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Startup") returned -1 [0065.296] lstrcmpW (lpString1="rtscom.dll", lpString2="Temp") returned -1 [0065.296] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="rtscom.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll" [0065.296] PathFindExtensionW (pszPath="rtscom.dll") returned=".dll" [0065.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.297] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="Windows") returned -1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="MSOCache") returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="PerfLogs") returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="DVD Maker") returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="Internet Explorer") returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="Reference Assemblies") returned 1 [0065.297] lstrcmpW (lpString1="ru-RU", lpString2="Windows Defender") returned -1 [0065.298] lstrcmpW (lpString1="ru-RU", lpString2="Windows Mail") returned -1 [0065.298] lstrcmpW (lpString1="ru-RU", lpString2="Windows Media Player") returned -1 [0065.298] lstrcmpW (lpString1="ru-RU", lpString2="Windows NT") returned -1 [0065.298] lstrcmpW (lpString1="ru-RU", lpString2="Windows Sidebar") returned -1 [0065.298] lstrcmpW (lpString1="ru-RU", lpString2="Startup") returned -1 [0065.298] lstrcmpW (lpString1="ru-RU", lpString2="Temp") returned -1 [0065.298] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ru-RU" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU" [0065.298] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\*.*" [0065.298] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4bd8 [0065.299] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.299] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.299] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.299] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.299] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.299] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.299] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.299] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.299] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.299] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.312] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.312] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.312] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.312] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.313] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.313] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.313] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.313] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.313] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" [0065.313] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.320] FindNextFileW (in: hFindFile=0x4d4bd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.320] FindClose (in: hFindFile=0x4d4bd8 | out: hFindFile=0x4d4bd8) returned 1 [0065.320] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="..") returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2=".") returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Windows") returned -1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="MSOCache") returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="PerfLogs") returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="DVD Maker") returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Internet Explorer") returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Reference Assemblies") returned 1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Windows Defender") returned -1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Windows Mail") returned -1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Windows Media Player") returned -1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Windows NT") returned -1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Windows Sidebar") returned -1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Startup") returned -1 [0065.320] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="Temp") returned -1 [0065.320] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="ShapeCollector.exe" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe" [0065.320] PathFindExtensionW (pszPath="ShapeCollector.exe") returned=".exe" [0065.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.330] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="..") returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2=".") returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Windows") returned -1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="MSOCache") returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="PerfLogs") returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="DVD Maker") returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Internet Explorer") returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Reference Assemblies") returned 1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Windows Defender") returned -1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Windows Mail") returned -1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Windows Media Player") returned -1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Windows NT") returned -1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Windows Sidebar") returned -1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Startup") returned -1 [0065.330] lstrcmpW (lpString1="sk-SK", lpString2="Temp") returned -1 [0065.330] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="sk-SK" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK" [0065.332] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\*.*" [0065.332] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4798 [0065.332] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.332] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.332] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.332] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.332] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.332] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.332] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.332] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.332] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.333] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.333] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" [0065.333] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.333] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.333] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.334] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="..") returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2=".") returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Windows") returned -1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="MSOCache") returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="PerfLogs") returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="DVD Maker") returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Internet Explorer") returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Reference Assemblies") returned 1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Windows Defender") returned -1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Windows Mail") returned -1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Windows Media Player") returned -1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Windows NT") returned -1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Windows Sidebar") returned -1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Startup") returned -1 [0065.334] lstrcmpW (lpString1="sl-SI", lpString2="Temp") returned -1 [0065.334] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="sl-SI" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI" [0065.334] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\*.*" [0065.334] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4798 [0065.334] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.334] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.334] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.334] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.335] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.335] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" [0065.335] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.335] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.335] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.335] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows") returned -1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="MSOCache") returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="PerfLogs") returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="DVD Maker") returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Internet Explorer") returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Reference Assemblies") returned 1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Defender") returned -1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Mail") returned -1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Media Player") returned -1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows NT") returned -1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Windows Sidebar") returned -1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Startup") returned -1 [0065.335] lstrcmpW (lpString1="sr-Latn-CS", lpString2="Temp") returned -1 [0065.335] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="sr-Latn-CS" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS" [0065.335] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\*.*" [0065.335] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4c18 [0065.335] FindNextFileW (in: hFindFile=0x4d4c18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.335] FindNextFileW (in: hFindFile=0x4d4c18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.335] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.335] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.336] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.336] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" [0065.336] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.336] FindNextFileW (in: hFindFile=0x4d4c18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.336] FindClose (in: hFindFile=0x4d4c18 | out: hFindFile=0x4d4c18) returned 1 [0065.336] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows") returned -1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="MSOCache") returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="PerfLogs") returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="DVD Maker") returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Internet Explorer") returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Reference Assemblies") returned 1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Defender") returned -1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Mail") returned -1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Media Player") returned -1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows NT") returned -1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Windows Sidebar") returned -1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Startup") returned -1 [0065.337] lstrcmpW (lpString1="sr-Latn-RS", lpString2="Temp") returned -1 [0065.337] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="sr-Latn-RS" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS" [0065.337] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\*.*" [0065.337] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4ed8 [0065.337] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.337] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.338] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" [0065.338] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sr-Latn-RS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-rs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.338] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.338] FindClose (in: hFindFile=0x4d4ed8 | out: hFindFile=0x4d4ed8) returned 1 [0065.338] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Windows") returned -1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="MSOCache") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="PerfLogs") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="DVD Maker") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Internet Explorer") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Reference Assemblies") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Windows Defender") returned -1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Windows Mail") returned -1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Windows Media Player") returned -1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Windows NT") returned -1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Windows Sidebar") returned -1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Startup") returned 1 [0065.338] lstrcmpW (lpString1="sv-SE", lpString2="Temp") returned -1 [0065.338] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="sv-SE" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE" [0065.338] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\*.*" [0065.338] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4dd8 [0065.339] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.339] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.339] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.339] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" [0065.339] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.339] FindNextFileW (in: hFindFile=0x4d4dd8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.339] FindClose (in: hFindFile=0x4d4dd8 | out: hFindFile=0x4d4dd8) returned 1 [0065.339] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.339] lstrcmpW (lpString1="TabIpsps.dll", lpString2="..") returned 1 [0065.339] lstrcmpW (lpString1="TabIpsps.dll", lpString2=".") returned 1 [0065.339] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Windows") returned -1 [0065.339] lstrcmpW (lpString1="TabIpsps.dll", lpString2="MSOCache") returned 1 [0065.339] lstrcmpW (lpString1="TabIpsps.dll", lpString2="PerfLogs") returned 1 [0065.339] lstrcmpW (lpString1="TabIpsps.dll", lpString2="DVD Maker") returned 1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Internet Explorer") returned 1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Reference Assemblies") returned 1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Windows Defender") returned -1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Windows Mail") returned -1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Windows Media Player") returned -1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Windows NT") returned -1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Windows Sidebar") returned -1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Startup") returned 1 [0065.340] lstrcmpW (lpString1="TabIpsps.dll", lpString2="Temp") returned -1 [0065.340] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="TabIpsps.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll" [0065.340] PathFindExtensionW (pszPath="TabIpsps.dll") returned=".dll" [0065.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.340] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2="..") returned 1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2=".") returned 1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2="Windows") returned -1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2="MSOCache") returned 1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2="PerfLogs") returned 1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2="DVD Maker") returned 1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2="Internet Explorer") returned 1 [0065.340] lstrcmpW (lpString1="tabskb.dll", lpString2="Reference Assemblies") returned 1 [0065.341] lstrcmpW (lpString1="tabskb.dll", lpString2="Windows Defender") returned -1 [0065.341] lstrcmpW (lpString1="tabskb.dll", lpString2="Windows Mail") returned -1 [0065.341] lstrcmpW (lpString1="tabskb.dll", lpString2="Windows Media Player") returned -1 [0065.341] lstrcmpW (lpString1="tabskb.dll", lpString2="Windows NT") returned -1 [0065.341] lstrcmpW (lpString1="tabskb.dll", lpString2="Windows Sidebar") returned -1 [0065.341] lstrcmpW (lpString1="tabskb.dll", lpString2="Startup") returned 1 [0065.341] lstrcmpW (lpString1="tabskb.dll", lpString2="Temp") returned -1 [0065.341] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="tabskb.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" [0065.341] PathFindExtensionW (pszPath="tabskb.dll") returned=".dll" [0065.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.354] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="..") returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2=".") returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="Windows") returned -1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="MSOCache") returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="PerfLogs") returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="DVD Maker") returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="Internet Explorer") returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="Reference Assemblies") returned 1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="Windows Defender") returned -1 [0065.354] lstrcmpW (lpString1="TabTip.exe", lpString2="Windows Mail") returned -1 [0065.355] lstrcmpW (lpString1="TabTip.exe", lpString2="Windows Media Player") returned -1 [0065.355] lstrcmpW (lpString1="TabTip.exe", lpString2="Windows NT") returned -1 [0065.355] lstrcmpW (lpString1="TabTip.exe", lpString2="Windows Sidebar") returned -1 [0065.355] lstrcmpW (lpString1="TabTip.exe", lpString2="Startup") returned 1 [0065.355] lstrcmpW (lpString1="TabTip.exe", lpString2="Temp") returned -1 [0065.355] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="TabTip.exe" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe" [0065.355] PathFindExtensionW (pszPath="TabTip.exe") returned=".exe" [0065.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.365] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="..") returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2=".") returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Windows") returned -1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="MSOCache") returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="PerfLogs") returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="DVD Maker") returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Internet Explorer") returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Reference Assemblies") returned 1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Windows Defender") returned -1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Windows Mail") returned -1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Windows Media Player") returned -1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Windows NT") returned -1 [0065.365] lstrcmpW (lpString1="th-TH", lpString2="Windows Sidebar") returned -1 [0065.366] lstrcmpW (lpString1="th-TH", lpString2="Startup") returned 1 [0065.366] lstrcmpW (lpString1="th-TH", lpString2="Temp") returned 1 [0065.366] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="th-TH" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH" [0065.366] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\*.*" [0065.366] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4798 [0065.366] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.366] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.366] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.366] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.367] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.367] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.367] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.367] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.367] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" [0065.367] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.367] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.367] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.367] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.367] lstrcmpW (lpString1="TipBand.dll", lpString2="..") returned 1 [0065.367] lstrcmpW (lpString1="TipBand.dll", lpString2=".") returned 1 [0065.367] lstrcmpW (lpString1="TipBand.dll", lpString2="Windows") returned -1 [0065.367] lstrcmpW (lpString1="TipBand.dll", lpString2="MSOCache") returned 1 [0065.367] lstrcmpW (lpString1="TipBand.dll", lpString2="PerfLogs") returned 1 [0065.367] lstrcmpW (lpString1="TipBand.dll", lpString2="DVD Maker") returned 1 [0065.367] lstrcmpW (lpString1="TipBand.dll", lpString2="Internet Explorer") returned 1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Reference Assemblies") returned 1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Windows Defender") returned -1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Windows Mail") returned -1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Windows Media Player") returned -1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Windows NT") returned -1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Windows Sidebar") returned -1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Startup") returned 1 [0065.368] lstrcmpW (lpString1="TipBand.dll", lpString2="Temp") returned 1 [0065.368] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="TipBand.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipBand.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipBand.dll" [0065.368] PathFindExtensionW (pszPath="TipBand.dll") returned=".dll" [0065.368] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipBand.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.368] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="..") returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2=".") returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="Windows") returned -1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="MSOCache") returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="PerfLogs") returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="DVD Maker") returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="Internet Explorer") returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="Reference Assemblies") returned 1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="Windows Defender") returned -1 [0065.368] lstrcmpW (lpString1="TipRes.dll", lpString2="Windows Mail") returned -1 [0065.369] lstrcmpW (lpString1="TipRes.dll", lpString2="Windows Media Player") returned -1 [0065.369] lstrcmpW (lpString1="TipRes.dll", lpString2="Windows NT") returned -1 [0065.369] lstrcmpW (lpString1="TipRes.dll", lpString2="Windows Sidebar") returned -1 [0065.369] lstrcmpW (lpString1="TipRes.dll", lpString2="Startup") returned 1 [0065.369] lstrcmpW (lpString1="TipRes.dll", lpString2="Temp") returned 1 [0065.369] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="TipRes.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll" [0065.369] PathFindExtensionW (pszPath="TipRes.dll") returned=".dll" [0065.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.369] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="..") returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2=".") returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="Windows") returned -1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="MSOCache") returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="PerfLogs") returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="DVD Maker") returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="Internet Explorer") returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="Reference Assemblies") returned 1 [0065.369] lstrcmpW (lpString1="tipresx.dll", lpString2="Windows Defender") returned -1 [0065.370] lstrcmpW (lpString1="tipresx.dll", lpString2="Windows Mail") returned -1 [0065.370] lstrcmpW (lpString1="tipresx.dll", lpString2="Windows Media Player") returned -1 [0065.370] lstrcmpW (lpString1="tipresx.dll", lpString2="Windows NT") returned -1 [0065.370] lstrcmpW (lpString1="tipresx.dll", lpString2="Windows Sidebar") returned -1 [0065.370] lstrcmpW (lpString1="tipresx.dll", lpString2="Startup") returned 1 [0065.370] lstrcmpW (lpString1="tipresx.dll", lpString2="Temp") returned 1 [0065.370] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="tipresx.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll" [0065.370] PathFindExtensionW (pszPath="tipresx.dll") returned=".dll" [0065.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.370] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="..") returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2=".") returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Windows") returned -1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="MSOCache") returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="PerfLogs") returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="DVD Maker") returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Internet Explorer") returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Reference Assemblies") returned 1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Windows Defender") returned -1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Windows Mail") returned -1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Windows Media Player") returned -1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Windows NT") returned -1 [0065.370] lstrcmpW (lpString1="tipskins.dll", lpString2="Windows Sidebar") returned -1 [0065.371] lstrcmpW (lpString1="tipskins.dll", lpString2="Startup") returned 1 [0065.371] lstrcmpW (lpString1="tipskins.dll", lpString2="Temp") returned 1 [0065.371] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="tipskins.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll" [0065.371] PathFindExtensionW (pszPath="tipskins.dll") returned=".dll" [0065.371] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.371] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="..") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2=".") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Windows") returned -1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="MSOCache") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="PerfLogs") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="DVD Maker") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Internet Explorer") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Reference Assemblies") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Windows Defender") returned -1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Windows Mail") returned -1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Windows Media Player") returned -1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Windows NT") returned -1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Windows Sidebar") returned -1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Startup") returned 1 [0065.371] lstrcmpW (lpString1="tiptsf.dll", lpString2="Temp") returned 1 [0065.372] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="tiptsf.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" [0065.372] PathFindExtensionW (pszPath="tiptsf.dll") returned=".dll" [0065.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.372] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="..") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2=".") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Windows") returned -1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="MSOCache") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="PerfLogs") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="DVD Maker") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Internet Explorer") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Reference Assemblies") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Windows Defender") returned -1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Windows Mail") returned -1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Windows Media Player") returned -1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Windows NT") returned -1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Windows Sidebar") returned -1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Startup") returned 1 [0065.372] lstrcmpW (lpString1="tpcps.dll", lpString2="Temp") returned 1 [0065.372] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="tpcps.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll" [0065.372] PathFindExtensionW (pszPath="tpcps.dll") returned=".dll" [0065.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.373] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Windows") returned -1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="MSOCache") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="PerfLogs") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="DVD Maker") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Internet Explorer") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Reference Assemblies") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Windows Defender") returned -1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Windows Mail") returned -1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Windows Media Player") returned -1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Windows NT") returned -1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Windows Sidebar") returned -1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Startup") returned 1 [0065.373] lstrcmpW (lpString1="tr-TR", lpString2="Temp") returned 1 [0065.373] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="tr-TR" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR" [0065.373] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\*.*" [0065.373] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4798 [0065.374] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.374] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.374] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.374] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" [0065.374] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.374] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.375] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.375] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.375] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="..") returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2=".") returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="Windows") returned -1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="MSOCache") returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="PerfLogs") returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="DVD Maker") returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="Internet Explorer") returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="Reference Assemblies") returned 1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="Windows Defender") returned -1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="Windows Mail") returned -1 [0065.375] lstrcmpW (lpString1="uk-UA", lpString2="Windows Media Player") returned -1 [0065.376] lstrcmpW (lpString1="uk-UA", lpString2="Windows NT") returned -1 [0065.376] lstrcmpW (lpString1="uk-UA", lpString2="Windows Sidebar") returned -1 [0065.376] lstrcmpW (lpString1="uk-UA", lpString2="Startup") returned 1 [0065.376] lstrcmpW (lpString1="uk-UA", lpString2="Temp") returned 1 [0065.376] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="uk-UA" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA" [0065.376] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\*.*" [0065.376] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4998 [0065.376] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.376] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.376] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.376] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.377] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.377] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.377] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.377] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.377] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.377] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" [0065.377] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.377] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.377] FindClose (in: hFindFile=0x4d4998 | out: hFindFile=0x4d4998) returned 1 [0065.377] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="Windows") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="MSOCache") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="PerfLogs") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="DVD Maker") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="Internet Explorer") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="Reference Assemblies") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="Windows Defender") returned 1 [0065.377] lstrcmpW (lpString1="zh-CN", lpString2="Windows Mail") returned 1 [0065.378] lstrcmpW (lpString1="zh-CN", lpString2="Windows Media Player") returned 1 [0065.378] lstrcmpW (lpString1="zh-CN", lpString2="Windows NT") returned 1 [0065.378] lstrcmpW (lpString1="zh-CN", lpString2="Windows Sidebar") returned 1 [0065.378] lstrcmpW (lpString1="zh-CN", lpString2="Startup") returned 1 [0065.378] lstrcmpW (lpString1="zh-CN", lpString2="Temp") returned 1 [0065.378] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="zh-CN" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN" [0065.378] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\*.*" [0065.378] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4d18 [0065.379] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.379] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.379] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.379] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.380] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" [0065.380] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.380] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.380] FindNextFileW (in: hFindFile=0x4d4d18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.380] FindClose (in: hFindFile=0x4d4d18 | out: hFindFile=0x4d4d18) returned 1 [0065.380] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Windows") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="MSOCache") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="PerfLogs") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="DVD Maker") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Internet Explorer") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Reference Assemblies") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Windows Defender") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Windows Mail") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Windows Media Player") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Windows NT") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Windows Sidebar") returned 1 [0065.380] lstrcmpW (lpString1="zh-HK", lpString2="Startup") returned 1 [0065.381] lstrcmpW (lpString1="zh-HK", lpString2="Temp") returned 1 [0065.381] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="zh-HK" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK" [0065.381] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\*.*" [0065.381] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4798 [0065.381] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.381] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.381] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.381] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.382] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.382] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.382] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\tipresx.dll.mui" [0065.384] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-HK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-hk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.385] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.385] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.385] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.385] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0065.385] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0065.385] lstrcmpW (lpString1="zh-TW", lpString2="Windows") returned 1 [0065.385] lstrcmpW (lpString1="zh-TW", lpString2="MSOCache") returned 1 [0065.385] lstrcmpW (lpString1="zh-TW", lpString2="PerfLogs") returned 1 [0065.385] lstrcmpW (lpString1="zh-TW", lpString2="DVD Maker") returned 1 [0065.385] lstrcmpW (lpString1="zh-TW", lpString2="Internet Explorer") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Reference Assemblies") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Windows Defender") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Windows Mail") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Windows Media Player") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Windows NT") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Windows Sidebar") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Startup") returned 1 [0065.386] lstrcmpW (lpString1="zh-TW", lpString2="Temp") returned 1 [0065.386] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink", pszFile="zh-TW" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW" [0065.386] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\*.*" [0065.386] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4798 [0065.386] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.386] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.386] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="..") returned 1 [0065.386] lstrcmpW (lpString1="tipresx.dll.mui", lpString2=".") returned 1 [0065.386] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0065.386] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="MSOCache") returned 1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="PerfLogs") returned 1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="DVD Maker") returned 1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Internet Explorer") returned 1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Reference Assemblies") returned 1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Defender") returned -1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Mail") returned -1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Media Player") returned -1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows NT") returned -1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Windows Sidebar") returned -1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Startup") returned 1 [0065.387] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="Temp") returned 1 [0065.387] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW", pszFile="tipresx.dll.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" [0065.387] PathFindExtensionW (pszPath="tipresx.dll.mui") returned=".mui" [0065.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.387] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.387] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.387] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0065.387] FindClose (in: hFindFile=0x4d4818 | out: hFindFile=0x4d4818) returned 1 [0065.387] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="..") returned 1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2=".") returned 1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Windows") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="MSOCache") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="PerfLogs") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="DVD Maker") returned 1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Internet Explorer") returned 1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Reference Assemblies") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Windows Defender") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Windows Mail") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Windows Media Player") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Windows NT") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Windows Sidebar") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Startup") returned -1 [0065.388] lstrcmpW (lpString1="MSClientDataMgr", lpString2="Temp") returned -1 [0065.388] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="MSClientDataMgr" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr" [0065.388] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\*.*" [0065.388] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4d58 [0065.389] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.389] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.389] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="..") returned 1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2=".") returned 1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Windows") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="MSOCache") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="PerfLogs") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="DVD Maker") returned 1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Internet Explorer") returned 1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Reference Assemblies") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Windows Defender") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Windows Mail") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Windows Media Player") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Windows NT") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Windows Sidebar") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Startup") returned -1 [0065.389] lstrcmpW (lpString1="MSCDM.DLL", lpString2="Temp") returned -1 [0065.390] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr", pszFile="MSCDM.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\MSCDM.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\MSCDM.DLL" [0065.390] PathFindExtensionW (pszPath="MSCDM.DLL") returned=".DLL" [0065.390] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0065.390] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x768b0 [0065.390] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x768b0, lpName=0x0) returned 0x248 [0065.390] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0065.720] CloseHandle (hObject=0x248) returned 1 [0065.721] CloseHandle (hObject=0x24c) returned 1 [0065.774] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0065.775] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), _Mode="rb+") returned 0x76ea4c68 [0065.776] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0065.776] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0065.776] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0065.787] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSClientDataMgr\\MSCDM.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0065.788] FindNextFileW (in: hFindFile=0x4d4d58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0065.788] FindClose (in: hFindFile=0x4d4d58 | out: hFindFile=0x4d4d58) returned 1 [0065.788] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="..") returned 1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2=".") returned 1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Windows") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="MSOCache") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="PerfLogs") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="DVD Maker") returned 1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Internet Explorer") returned 1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Reference Assemblies") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Windows Defender") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Windows Mail") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Windows Media Player") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Windows NT") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Windows Sidebar") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Startup") returned -1 [0065.788] lstrcmpW (lpString1="MSInfo", lpString2="Temp") returned -1 [0065.788] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="MSInfo" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo" [0065.788] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*" [0065.788] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4798 [0065.789] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.789] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0065.789] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Windows") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="MSOCache") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="PerfLogs") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="DVD Maker") returned 1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Internet Explorer") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Reference Assemblies") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Windows Defender") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Windows Mail") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Windows Media Player") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Windows NT") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Windows Sidebar") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Startup") returned -1 [0065.789] lstrcmpW (lpString1="en-US", lpString2="Temp") returned -1 [0065.789] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo", pszFile="en-US" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US" [0065.789] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*" [0065.789] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4b18 [0065.790] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.790] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.790] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="..") returned 1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2=".") returned 1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Windows") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="MSOCache") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="PerfLogs") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="DVD Maker") returned 1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Internet Explorer") returned 1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Reference Assemblies") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Windows Defender") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Windows Mail") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Windows Media Player") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Windows NT") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Windows Sidebar") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Startup") returned -1 [0065.790] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="Temp") returned -1 [0065.790] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US", pszFile="msinfo32.exe.mui" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" [0065.790] PathFindExtensionW (pszPath="msinfo32.exe.mui") returned=".mui" [0065.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.833] FindNextFileW (in: hFindFile=0x4d4b18, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0065.833] FindClose (in: hFindFile=0x4d4b18 | out: hFindFile=0x4d4b18) returned 1 [0065.833] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="..") returned 1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2=".") returned 1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Windows") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="MSOCache") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="PerfLogs") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="DVD Maker") returned 1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Internet Explorer") returned 1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Reference Assemblies") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Windows Defender") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Windows Mail") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Windows Media Player") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Windows NT") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Windows Sidebar") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Startup") returned -1 [0065.833] lstrcmpW (lpString1="msinfo32.exe", lpString2="Temp") returned -1 [0065.833] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo", pszFile="msinfo32.exe" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" [0065.833] PathFindExtensionW (pszPath="msinfo32.exe") returned=".exe" [0065.833] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.841] FindNextFileW (in: hFindFile=0x4d4798, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0 [0065.841] FindClose (in: hFindFile=0x4d4798 | out: hFindFile=0x4d4798) returned 1 [0065.841] FindNextFileW (in: hFindFile=0x4d4b58, lpFindFileData=0x2ace2d0 | out: lpFindFileData=0x2ace2d0) returned 1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="..") returned 1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2=".") returned 1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="Windows") returned -1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="MSOCache") returned 1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="PerfLogs") returned -1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="DVD Maker") returned 1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="Internet Explorer") returned 1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="Reference Assemblies") returned -1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="Windows Defender") returned -1 [0065.841] lstrcmpW (lpString1="OFFICE15", lpString2="Windows Mail") returned -1 [0065.842] lstrcmpW (lpString1="OFFICE15", lpString2="Windows Media Player") returned -1 [0065.842] lstrcmpW (lpString1="OFFICE15", lpString2="Windows NT") returned -1 [0065.842] lstrcmpW (lpString1="OFFICE15", lpString2="Windows Sidebar") returned -1 [0065.842] lstrcmpW (lpString1="OFFICE15", lpString2="Startup") returned -1 [0065.842] lstrcmpW (lpString1="OFFICE15", lpString2="Temp") returned -1 [0065.842] PathCombineW (in: pszDest=0x2ace520, pszDir="C:\\Program Files\\Common Files\\microsoft shared", pszFile="OFFICE15" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15" [0065.842] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\*.*" [0065.842] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\*.*", lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 0x4d4c58 [0065.842] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.842] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.842] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0065.842] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0065.842] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0065.842] lstrcmpW (lpString1="1033", lpString2="Windows") returned -1 [0065.842] lstrcmpW (lpString1="1033", lpString2="MSOCache") returned -1 [0065.842] lstrcmpW (lpString1="1033", lpString2="PerfLogs") returned -1 [0065.842] lstrcmpW (lpString1="1033", lpString2="DVD Maker") returned -1 [0065.842] lstrcmpW (lpString1="1033", lpString2="Internet Explorer") returned -1 [0065.842] lstrcmpW (lpString1="1033", lpString2="Reference Assemblies") returned -1 [0065.842] lstrcmpW (lpString1="1033", lpString2="Windows Defender") returned -1 [0065.843] lstrcmpW (lpString1="1033", lpString2="Windows Mail") returned -1 [0065.843] lstrcmpW (lpString1="1033", lpString2="Windows Media Player") returned -1 [0065.843] lstrcmpW (lpString1="1033", lpString2="Windows NT") returned -1 [0065.843] lstrcmpW (lpString1="1033", lpString2="Windows Sidebar") returned -1 [0065.843] lstrcmpW (lpString1="1033", lpString2="Startup") returned -1 [0065.843] lstrcmpW (lpString1="1033", lpString2="Temp") returned -1 [0065.843] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="1033" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033" [0065.843] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\*.*" [0065.843] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4ed8 [0065.849] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.849] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="..") returned 1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2=".") returned 1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Windows") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="MSOCache") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="PerfLogs") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="DVD Maker") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Internet Explorer") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Reference Assemblies") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Windows Defender") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Windows Mail") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Windows Media Player") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Windows NT") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Windows Sidebar") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Startup") returned -1 [0065.849] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="Temp") returned -1 [0065.849] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="ACEINTL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEINTL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEINTL.DLL" [0065.850] PathFindExtensionW (pszPath="ACEINTL.DLL") returned=".DLL" [0065.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0065.850] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x312c8 [0065.850] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x312c8, lpName=0x0) returned 0x244 [0065.850] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0065.907] CloseHandle (hObject=0x244) returned 1 [0065.907] CloseHandle (hObject=0x248) returned 1 [0066.060] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0066.061] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceintl.dll"), _Mode="rb+") returned 0x76ea4c68 [0066.061] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0066.061] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0066.061] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0066.068] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceintl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEINTL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceintl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0066.069] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="..") returned 1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2=".") returned 1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Windows") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="MSOCache") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="PerfLogs") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="DVD Maker") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Internet Explorer") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Reference Assemblies") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Windows Defender") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Windows Mail") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Windows Media Player") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Windows NT") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Windows Sidebar") returned -1 [0066.069] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Startup") returned -1 [0066.070] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="Temp") returned -1 [0066.070] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="ACEODBCI.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEODBCI.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEODBCI.DLL" [0066.070] PathFindExtensionW (pszPath="ACEODBCI.DLL") returned=".DLL" [0066.070] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceodbci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0066.070] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xd0c0 [0066.070] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd0c0, lpName=0x0) returned 0x244 [0066.070] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0066.237] CloseHandle (hObject=0x244) returned 1 [0066.237] CloseHandle (hObject=0x248) returned 1 [0066.257] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0066.258] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceodbci.dll"), _Mode="rb+") returned 0x76ea4c68 [0066.258] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0066.258] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0066.258] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0066.264] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceodbci.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEODBCI.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\aceodbci.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0066.265] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="..") returned 1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2=".") returned 1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Windows") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="MSOCache") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="PerfLogs") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="DVD Maker") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Internet Explorer") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Reference Assemblies") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Windows Defender") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Windows Mail") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Windows Media Player") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Windows NT") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Windows Sidebar") returned -1 [0066.265] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Startup") returned -1 [0066.266] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="Temp") returned -1 [0066.266] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="ACEWSTR.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEWSTR.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEWSTR.DLL" [0066.266] PathFindExtensionW (pszPath="ACEWSTR.DLL") returned=".DLL" [0066.266] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\acewstr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0066.266] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xd1cb0 [0066.266] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd1cb0, lpName=0x0) returned 0x244 [0066.266] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0066.349] CloseHandle (hObject=0x244) returned 1 [0066.349] CloseHandle (hObject=0x248) returned 1 [0066.470] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0066.474] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\acewstr.dll"), _Mode="rb+") returned 0x76ea4c68 [0066.474] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0066.474] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0066.475] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0066.523] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\acewstr.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ACEWSTR.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\acewstr.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0066.538] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0066.538] lstrcmpW (lpString1="ADO210.CHM", lpString2="..") returned 1 [0066.538] lstrcmpW (lpString1="ADO210.CHM", lpString2=".") returned 1 [0066.538] lstrcmpW (lpString1="ADO210.CHM", lpString2="Windows") returned -1 [0066.538] lstrcmpW (lpString1="ADO210.CHM", lpString2="MSOCache") returned -1 [0066.538] lstrcmpW (lpString1="ADO210.CHM", lpString2="PerfLogs") returned -1 [0066.538] lstrcmpW (lpString1="ADO210.CHM", lpString2="DVD Maker") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Internet Explorer") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Reference Assemblies") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Windows Defender") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Windows Mail") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Windows Media Player") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Windows NT") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Windows Sidebar") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Startup") returned -1 [0066.539] lstrcmpW (lpString1="ADO210.CHM", lpString2="Temp") returned -1 [0066.539] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="ADO210.CHM" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ADO210.CHM") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ADO210.CHM" [0066.539] PathFindExtensionW (pszPath="ADO210.CHM") returned=".CHM" [0066.539] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\ado210.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0066.539] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x19a3ff [0066.539] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x244 [0066.539] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0066.570] CloseHandle (hObject=0x244) returned 1 [0066.570] CloseHandle (hObject=0x248) returned 1 [0066.846] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0066.857] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\ado210.chm"), _Mode="rb+") returned 0x76ea4c68 [0066.857] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0066.857] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0066.857] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0066.901] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ADO210.CHM.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\ado210.chm.[sepsis@protonmail.com].sepsis")) returned 1 [0066.901] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0066.901] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="..") returned 1 [0066.901] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2=".") returned 1 [0066.901] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Windows") returned -1 [0066.901] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="MSOCache") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="PerfLogs") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="DVD Maker") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Internet Explorer") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Reference Assemblies") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Windows Defender") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Windows Mail") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Windows Media Player") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Windows NT") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Windows Sidebar") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Startup") returned -1 [0066.902] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="Temp") returned -1 [0066.902] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="ALRTINTL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ALRTINTL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ALRTINTL.DLL" [0066.902] PathFindExtensionW (pszPath="ALRTINTL.DLL") returned=".DLL" [0066.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\alrtintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0066.902] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x25a60 [0066.902] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x25a60, lpName=0x0) returned 0x244 [0066.902] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0066.991] CloseHandle (hObject=0x244) returned 1 [0066.991] CloseHandle (hObject=0x248) returned 1 [0067.021] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0067.022] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\alrtintl.dll"), _Mode="rb+") returned 0x76ea4c68 [0067.022] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0067.022] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0067.022] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0067.025] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\alrtintl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\ALRTINTL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\alrtintl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0067.025] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0067.025] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="..") returned 1 [0067.025] lstrcmpW (lpString1="MSOINTL.DLL", lpString2=".") returned 1 [0067.025] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Windows") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="MSOCache") returned 1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="PerfLogs") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="DVD Maker") returned 1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Internet Explorer") returned 1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Reference Assemblies") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Windows Defender") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Windows Mail") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Windows Media Player") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Windows NT") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Windows Sidebar") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Startup") returned -1 [0067.026] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="Temp") returned -1 [0067.026] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="MSOINTL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL" [0067.026] PathFindExtensionW (pszPath="MSOINTL.DLL") returned=".DLL" [0067.026] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0067.027] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x375288 [0067.027] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x244 [0067.027] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0067.064] CloseHandle (hObject=0x244) returned 1 [0067.064] CloseHandle (hObject=0x248) returned 1 [0067.359] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0067.374] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll"), _Mode="rb+") returned 0x76ea4c68 [0067.374] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0067.374] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0067.374] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0067.459] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0067.460] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="..") returned 1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2=".") returned 1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="MSOCache") returned 1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="PerfLogs") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="DVD Maker") returned 1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Internet Explorer") returned 1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Reference Assemblies") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows Defender") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows Mail") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows Media Player") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows NT") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows Sidebar") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Startup") returned -1 [0067.460] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Temp") returned -1 [0067.460] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="MSOINTL.DLL.IDX_DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.IDX_DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.IDX_DLL" [0067.460] PathFindExtensionW (pszPath="MSOINTL.DLL.IDX_DLL") returned=".IDX_DLL" [0067.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0067.461] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce90 [0067.461] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xce90, lpName=0x0) returned 0x244 [0067.461] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0067.501] CloseHandle (hObject=0x244) returned 1 [0067.501] CloseHandle (hObject=0x248) returned 1 [0067.507] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0067.507] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll.idx_dll"), _Mode="rb+") returned 0x76ea4c68 [0067.507] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0067.507] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0067.507] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0067.509] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll.idx_dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL.IDX_DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll.idx_dll.[sepsis@protonmail.com].sepsis")) returned 1 [0067.509] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0067.509] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="..") returned 1 [0067.509] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2=".") returned 1 [0067.509] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows") returned -1 [0067.509] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="MSOCache") returned 1 [0067.509] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="PerfLogs") returned -1 [0067.509] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="DVD Maker") returned 1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Internet Explorer") returned 1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Reference Assemblies") returned -1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows Defender") returned -1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows Mail") returned -1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows Media Player") returned -1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows NT") returned -1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows Sidebar") returned -1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Startup") returned -1 [0067.510] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Temp") returned -1 [0067.510] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="MSOINTL.REST.IDX_DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.REST.IDX_DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.REST.IDX_DLL" [0067.510] PathFindExtensionW (pszPath="MSOINTL.REST.IDX_DLL") returned=".IDX_DLL" [0067.510] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0067.510] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x16a690 [0067.510] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16a690, lpName=0x0) returned 0x244 [0067.510] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0067.517] CloseHandle (hObject=0x244) returned 1 [0067.517] CloseHandle (hObject=0x248) returned 1 [0067.852] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0067.864] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.rest.idx_dll"), _Mode="rb+") returned 0x76ea4c68 [0067.864] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0067.864] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0067.864] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0067.903] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.rest.idx_dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.REST.IDX_DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.rest.idx_dll.[sepsis@protonmail.com].sepsis")) returned 1 [0067.904] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="..") returned 1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2=".") returned 1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Windows") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="MSOCache") returned 1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="PerfLogs") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="DVD Maker") returned 1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Internet Explorer") returned 1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Reference Assemblies") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Windows Defender") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Windows Mail") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Windows Media Player") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Windows NT") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Windows Sidebar") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Startup") returned -1 [0067.904] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="Temp") returned -1 [0067.904] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="MSSOAPR3.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSSOAPR3.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSSOAPR3.DLL" [0067.904] PathFindExtensionW (pszPath="MSSOAPR3.DLL") returned=".DLL" [0067.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\mssoapr3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0067.904] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa498 [0067.904] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa498, lpName=0x0) returned 0x244 [0067.905] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0068.618] CloseHandle (hObject=0x244) returned 1 [0068.618] CloseHandle (hObject=0x248) returned 1 [0068.818] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0068.818] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\mssoapr3.dll"), _Mode="rb+") returned 0x76ea4c68 [0068.819] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0068.819] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0068.819] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0068.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\mssoapr3.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSSOAPR3.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\mssoapr3.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0068.820] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0068.820] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="..") returned 1 [0068.820] lstrcmpW (lpString1="OARPMANR.DLL", lpString2=".") returned 1 [0068.820] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Windows") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="MSOCache") returned 1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="PerfLogs") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="DVD Maker") returned 1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Internet Explorer") returned 1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Reference Assemblies") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Windows Defender") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Windows Mail") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Windows Media Player") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Windows NT") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Windows Sidebar") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Startup") returned -1 [0068.821] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="Temp") returned -1 [0068.821] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="OARPMANR.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OARPMANR.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OARPMANR.DLL" [0068.821] PathFindExtensionW (pszPath="OARPMANR.DLL") returned=".DLL" [0068.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\oarpmanr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0068.822] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3098 [0068.822] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3098, lpName=0x0) returned 0x244 [0068.822] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0068.939] CloseHandle (hObject=0x244) returned 1 [0068.939] CloseHandle (hObject=0x248) returned 1 [0068.961] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0068.961] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\oarpmanr.dll"), _Mode="rb+") returned 0x76ea4c68 [0068.962] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0068.962] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0068.962] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0068.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\oarpmanr.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OARPMANR.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\oarpmanr.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0068.963] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="..") returned 1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2=".") returned 1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Windows") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="MSOCache") returned 1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="PerfLogs") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="DVD Maker") returned 1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Internet Explorer") returned 1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Reference Assemblies") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Windows Defender") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Windows Mail") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Windows Media Player") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Windows NT") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Windows Sidebar") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Startup") returned -1 [0068.963] lstrcmpW (lpString1="OSFINTL.DLL", lpString2="Temp") returned -1 [0068.963] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="OSFINTL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OSFINTL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OSFINTL.DLL" [0068.963] PathFindExtensionW (pszPath="OSFINTL.DLL") returned=".DLL" [0068.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OSFINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osfintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0068.964] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x20a88 [0068.964] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x20a88, lpName=0x0) returned 0x244 [0068.964] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0069.096] CloseHandle (hObject=0x244) returned 1 [0069.096] CloseHandle (hObject=0x248) returned 1 [0069.122] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0069.123] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OSFINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osfintl.dll"), _Mode="rb+") returned 0x76ea4c68 [0069.123] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0069.123] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0069.123] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0069.132] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OSFINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osfintl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\OSFINTL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osfintl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0069.132] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0069.132] lstrcmpW (lpString1="osmdp32.msi", lpString2="..") returned 1 [0069.132] lstrcmpW (lpString1="osmdp32.msi", lpString2=".") returned 1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Windows") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="MSOCache") returned 1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="PerfLogs") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="DVD Maker") returned 1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Internet Explorer") returned 1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Reference Assemblies") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Windows Defender") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Windows Mail") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Windows Media Player") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Windows NT") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Windows Sidebar") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Startup") returned -1 [0069.133] lstrcmpW (lpString1="osmdp32.msi", lpString2="Temp") returned -1 [0069.133] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="osmdp32.msi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp32.msi") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp32.msi" [0069.133] PathFindExtensionW (pszPath="osmdp32.msi") returned=".msi" [0069.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp32.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp32.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0069.143] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x22d000 [0069.143] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x244 [0069.143] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0069.153] CloseHandle (hObject=0x244) returned 1 [0069.153] CloseHandle (hObject=0x248) returned 1 [0069.400] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0069.414] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp32.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp32.msi"), _Mode="rb+") returned 0x76ea4c68 [0069.414] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0069.414] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0069.414] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0069.463] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp32.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp32.msi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp32.msi.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp32.msi.[sepsis@protonmail.com].sepsis")) returned 1 [0069.467] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="..") returned 1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2=".") returned 1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Windows") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="MSOCache") returned 1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="PerfLogs") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="DVD Maker") returned 1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Internet Explorer") returned 1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Reference Assemblies") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Windows Defender") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Windows Mail") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Windows Media Player") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Windows NT") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Windows Sidebar") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Startup") returned -1 [0069.467] lstrcmpW (lpString1="osmdp64.msi", lpString2="Temp") returned -1 [0069.467] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="osmdp64.msi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp64.msi") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp64.msi" [0069.467] PathFindExtensionW (pszPath="osmdp64.msi") returned=".msi" [0069.468] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp64.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0069.468] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x24c000 [0069.468] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x244 [0069.468] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0069.468] CloseHandle (hObject=0x244) returned 1 [0069.468] CloseHandle (hObject=0x248) returned 1 [0069.628] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0069.638] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp64.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp64.msi"), _Mode="rb+") returned 0x76ea4c68 [0069.638] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0069.638] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0069.638] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0069.685] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp64.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp64.msi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmdp64.msi.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmdp64.msi.[sepsis@protonmail.com].sepsis")) returned 1 [0069.686] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="..") returned 1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2=".") returned 1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Windows") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="MSOCache") returned 1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="PerfLogs") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="DVD Maker") returned 1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Internet Explorer") returned 1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Reference Assemblies") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Windows Defender") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Windows Mail") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Windows Media Player") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Windows NT") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Windows Sidebar") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Startup") returned -1 [0069.686] lstrcmpW (lpString1="osmia32.msi", lpString2="Temp") returned -1 [0069.686] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="osmia32.msi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia32.msi") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia32.msi" [0069.687] PathFindExtensionW (pszPath="osmia32.msi") returned=".msi" [0069.687] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia32.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia32.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0069.687] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1ba000 [0069.687] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x244 [0069.687] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0069.687] CloseHandle (hObject=0x244) returned 1 [0069.687] CloseHandle (hObject=0x248) returned 1 [0069.831] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0069.838] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia32.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia32.msi"), _Mode="rb+") returned 0x76ea4c68 [0069.838] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0069.838] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0069.838] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0069.866] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia32.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia32.msi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia32.msi.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia32.msi.[sepsis@protonmail.com].sepsis")) returned 1 [0069.867] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="..") returned 1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2=".") returned 1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Windows") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="MSOCache") returned 1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="PerfLogs") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="DVD Maker") returned 1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Internet Explorer") returned 1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Reference Assemblies") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Windows Defender") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Windows Mail") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Windows Media Player") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Windows NT") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Windows Sidebar") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Startup") returned -1 [0069.867] lstrcmpW (lpString1="osmia64.msi", lpString2="Temp") returned -1 [0069.867] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="osmia64.msi" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia64.msi") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia64.msi" [0069.867] PathFindExtensionW (pszPath="osmia64.msi") returned=".msi" [0069.867] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia64.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0069.867] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1c6000 [0069.867] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x244 [0069.867] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0069.868] CloseHandle (hObject=0x244) returned 1 [0069.868] CloseHandle (hObject=0x248) returned 1 [0070.036] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0070.046] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia64.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia64.msi"), _Mode="rb+") returned 0x76ea4c68 [0070.046] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0070.046] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0070.046] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0070.066] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia64.msi" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia64.msi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\osmia64.msi.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\osmia64.msi.[sepsis@protonmail.com].sepsis")) returned 1 [0070.066] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0070.066] lstrcmpW (lpString1="README.HTM", lpString2="..") returned 1 [0070.066] lstrcmpW (lpString1="README.HTM", lpString2=".") returned 1 [0070.066] lstrcmpW (lpString1="README.HTM", lpString2="Windows") returned -1 [0070.066] lstrcmpW (lpString1="README.HTM", lpString2="MSOCache") returned 1 [0070.066] lstrcmpW (lpString1="README.HTM", lpString2="PerfLogs") returned 1 [0070.066] lstrcmpW (lpString1="README.HTM", lpString2="DVD Maker") returned 1 [0070.066] lstrcmpW (lpString1="README.HTM", lpString2="Internet Explorer") returned 1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Reference Assemblies") returned -1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Windows Defender") returned -1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Windows Mail") returned -1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Windows Media Player") returned -1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Windows NT") returned -1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Windows Sidebar") returned -1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Startup") returned -1 [0070.067] lstrcmpW (lpString1="README.HTM", lpString2="Temp") returned -1 [0070.067] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="README.HTM" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\README.HTM") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\README.HTM" [0070.067] PathFindExtensionW (pszPath="README.HTM") returned=".HTM" [0070.067] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0070.068] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1ab [0070.068] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1ab, lpName=0x0) returned 0x244 [0070.068] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0070.070] CloseHandle (hObject=0x244) returned 1 [0070.070] CloseHandle (hObject=0x248) returned 1 [0070.072] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0070.072] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\readme.htm"), _Mode="rb+") returned 0x76ea4c68 [0070.072] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0070.072] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0070.072] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0070.073] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\readme.htm"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\README.HTM.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\readme.htm.[sepsis@protonmail.com].sepsis")) returned 1 [0070.087] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="..") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2=".") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Windows") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="MSOCache") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="PerfLogs") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="DVD Maker") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Internet Explorer") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Reference Assemblies") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Windows Defender") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Windows Mail") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Windows Media Player") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Windows NT") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Windows Sidebar") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Startup") returned 1 [0070.087] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="Temp") returned 1 [0070.087] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033", pszFile="xlsrvintl.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\xlsrvintl.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\xlsrvintl.dll" [0070.087] PathFindExtensionW (pszPath="xlsrvintl.dll") returned=".dll" [0070.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\xlsrvintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0070.088] GetFileSize (in: hFile=0x248, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x40088 [0070.088] CreateFileMappingW (hFile=0x248, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x40088, lpName=0x0) returned 0x244 [0070.088] MapViewOfFile (hFileMappingObject=0x244, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0070.190] CloseHandle (hObject=0x244) returned 1 [0070.190] CloseHandle (hObject=0x248) returned 1 [0070.236] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0070.238] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\xlsrvintl.dll"), _Mode="rb+") returned 0x76ea4c68 [0070.239] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0070.239] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0070.239] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0070.244] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\xlsrvintl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\xlsrvintl.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\xlsrvintl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0070.245] FindNextFileW (in: hFindFile=0x4d4ed8, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0070.245] FindClose (in: hFindFile=0x4d4ed8 | out: hFindFile=0x4d4ed8) returned 1 [0070.245] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="..") returned 1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2=".") returned 1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Windows") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="MSOCache") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="PerfLogs") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="DVD Maker") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Internet Explorer") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Reference Assemblies") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Windows Defender") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Windows Mail") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Windows Media Player") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Windows NT") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Windows Sidebar") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Startup") returned -1 [0070.245] lstrcmpW (lpString1="ACECORE.DLL", lpString2="Temp") returned -1 [0070.245] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACECORE.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACECORE.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACECORE.DLL" [0070.245] PathFindExtensionW (pszPath="ACECORE.DLL") returned=".DLL" [0070.245] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acecore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0070.246] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x22acd0 [0070.246] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x248 [0070.246] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0070.297] CloseHandle (hObject=0x248) returned 1 [0070.297] CloseHandle (hObject=0x24c) returned 1 [0070.502] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0070.513] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acecore.dll"), _Mode="rb+") returned 0x76ea4c68 [0070.513] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0070.513] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0070.513] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0070.558] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acecore.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACECORE.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acecore.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0070.559] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="..") returned 1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2=".") returned 1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Windows") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="MSOCache") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="PerfLogs") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="DVD Maker") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Internet Explorer") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Reference Assemblies") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Windows Defender") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Windows Mail") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Windows Media Player") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Windows NT") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Windows Sidebar") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Startup") returned -1 [0070.559] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="Temp") returned -1 [0070.559] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEDAO.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEDAO.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEDAO.DLL" [0070.559] PathFindExtensionW (pszPath="ACEDAO.DLL") returned=".DLL" [0070.559] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acedao.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0070.559] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x96b00 [0070.559] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x96b00, lpName=0x0) returned 0x248 [0070.559] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0070.803] CloseHandle (hObject=0x248) returned 1 [0070.803] CloseHandle (hObject=0x24c) returned 1 [0070.896] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0070.898] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acedao.dll"), _Mode="rb+") returned 0x76ea4c68 [0070.898] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0070.898] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0070.898] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0070.906] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acedao.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEDAO.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acedao.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0070.907] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="..") returned 1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2=".") returned 1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Windows") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="MSOCache") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="PerfLogs") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="DVD Maker") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Internet Explorer") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Reference Assemblies") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Windows Defender") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Windows Mail") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Windows Media Player") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Windows NT") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Windows Sidebar") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Startup") returned -1 [0070.907] lstrcmpW (lpString1="ACEERR.DLL", lpString2="Temp") returned -1 [0070.907] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEERR.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEERR.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEERR.DLL" [0070.907] PathFindExtensionW (pszPath="ACEERR.DLL") returned=".DLL" [0070.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceerr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0070.907] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9ed8 [0070.907] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9ed8, lpName=0x0) returned 0x248 [0070.908] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0070.983] CloseHandle (hObject=0x248) returned 1 [0070.983] CloseHandle (hObject=0x24c) returned 1 [0070.989] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0070.990] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceerr.dll"), _Mode="rb+") returned 0x76ea4c68 [0070.990] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0070.990] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0070.990] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0070.996] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceerr.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEERR.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceerr.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0070.996] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="..") returned 1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2=".") returned 1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Windows") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="MSOCache") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="PerfLogs") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="DVD Maker") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Internet Explorer") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Reference Assemblies") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Windows Defender") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Windows Mail") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Windows Media Player") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Windows NT") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Windows Sidebar") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Startup") returned -1 [0070.996] lstrcmpW (lpString1="ACEES.DLL", lpString2="Temp") returned -1 [0070.997] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEES.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEES.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEES.DLL" [0070.997] PathFindExtensionW (pszPath="ACEES.DLL") returned=".DLL" [0070.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acees.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0070.997] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xd64f0 [0070.997] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd64f0, lpName=0x0) returned 0x248 [0070.997] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0071.254] CloseHandle (hObject=0x248) returned 1 [0071.254] CloseHandle (hObject=0x24c) returned 1 [0071.343] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0071.347] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acees.dll"), _Mode="rb+") returned 0x76ea4c68 [0071.347] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0071.347] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0071.347] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0071.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acees.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEES.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acees.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0071.361] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0071.361] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="..") returned 1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2=".") returned 1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Windows") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="MSOCache") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="PerfLogs") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="DVD Maker") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Internet Explorer") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Reference Assemblies") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Windows Defender") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Windows Mail") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Windows Media Player") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Windows NT") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Windows Sidebar") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Startup") returned -1 [0071.362] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="Temp") returned -1 [0071.362] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEEXCH.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCH.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCH.DLL" [0071.362] PathFindExtensionW (pszPath="ACEEXCH.DLL") returned=".DLL" [0071.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0071.362] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3c8e8 [0071.362] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3c8e8, lpName=0x0) returned 0x248 [0071.362] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0071.487] CloseHandle (hObject=0x248) returned 1 [0071.487] CloseHandle (hObject=0x24c) returned 1 [0071.509] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0071.510] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexch.dll"), _Mode="rb+") returned 0x76ea4c68 [0071.511] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0071.511] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0071.511] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0071.515] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexch.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCH.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexch.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0071.515] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0071.515] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="..") returned 1 [0071.515] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2=".") returned 1 [0071.515] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Windows") returned -1 [0071.515] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="MSOCache") returned -1 [0071.515] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="PerfLogs") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="DVD Maker") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Internet Explorer") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Reference Assemblies") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Windows Defender") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Windows Mail") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Windows Media Player") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Windows NT") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Windows Sidebar") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Startup") returned -1 [0071.516] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="Temp") returned -1 [0071.516] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEEXCL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCL.DLL" [0071.516] PathFindExtensionW (pszPath="ACEEXCL.DLL") returned=".DLL" [0071.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexcl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0071.516] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x820e0 [0071.516] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x820e0, lpName=0x0) returned 0x248 [0071.516] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0071.730] CloseHandle (hObject=0x248) returned 1 [0071.730] CloseHandle (hObject=0x24c) returned 1 [0071.808] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0071.810] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexcl.dll"), _Mode="rb+") returned 0x76ea4c68 [0071.810] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0071.810] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0071.810] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0071.820] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexcl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEEXCL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceexcl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0071.820] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="..") returned 1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2=".") returned 1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Windows") returned -1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="MSOCache") returned -1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="PerfLogs") returned -1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="DVD Maker") returned -1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Internet Explorer") returned -1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Reference Assemblies") returned -1 [0071.820] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Windows Defender") returned -1 [0071.821] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Windows Mail") returned -1 [0071.821] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Windows Media Player") returned -1 [0071.821] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Windows NT") returned -1 [0071.821] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Windows Sidebar") returned -1 [0071.821] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Startup") returned -1 [0071.821] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="Temp") returned -1 [0071.821] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEODBC.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODBC.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODBC.DLL" [0071.821] PathFindExtensionW (pszPath="ACEODBC.DLL") returned=".DLL" [0071.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodbc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0071.821] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x526f8 [0071.821] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x526f8, lpName=0x0) returned 0x248 [0071.821] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0071.994] CloseHandle (hObject=0x248) returned 1 [0071.994] CloseHandle (hObject=0x24c) returned 1 [0072.019] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0072.020] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodbc.dll"), _Mode="rb+") returned 0x76ea4c68 [0072.020] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0072.020] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0072.020] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0072.026] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodbc.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODBC.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodbc.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0072.027] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="..") returned 1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2=".") returned 1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Windows") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="MSOCache") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="PerfLogs") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="DVD Maker") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Internet Explorer") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Reference Assemblies") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Windows Defender") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Windows Mail") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Windows Media Player") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Windows NT") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Windows Sidebar") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Startup") returned -1 [0072.027] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="Temp") returned -1 [0072.027] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEODEXL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODEXL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODEXL.DLL" [0072.027] PathFindExtensionW (pszPath="ACEODEXL.DLL") returned=".DLL" [0072.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodexl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0072.028] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4098 [0072.028] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4098, lpName=0x0) returned 0x248 [0072.028] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0072.120] CloseHandle (hObject=0x248) returned 1 [0072.120] CloseHandle (hObject=0x24c) returned 1 [0072.136] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0072.137] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodexl.dll"), _Mode="rb+") returned 0x76ea4c68 [0072.137] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0072.137] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0072.137] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0072.139] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodexl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODEXL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodexl.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0072.139] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0072.139] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="..") returned 1 [0072.139] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2=".") returned 1 [0072.139] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Windows") returned -1 [0072.139] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="MSOCache") returned -1 [0072.139] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="PerfLogs") returned -1 [0072.139] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="DVD Maker") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Internet Explorer") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Reference Assemblies") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Windows Defender") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Windows Mail") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Windows Media Player") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Windows NT") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Windows Sidebar") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Startup") returned -1 [0072.140] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="Temp") returned -1 [0072.140] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEODTXT.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODTXT.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODTXT.DLL" [0072.140] PathFindExtensionW (pszPath="ACEODTXT.DLL") returned=".DLL" [0072.140] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodtxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0072.140] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4098 [0072.140] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4098, lpName=0x0) returned 0x248 [0072.140] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0072.140] CloseHandle (hObject=0x248) returned 1 [0072.141] CloseHandle (hObject=0x24c) returned 1 [0072.168] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0072.168] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodtxt.dll"), _Mode="rb+") returned 0x76ea4c68 [0072.168] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0072.169] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0072.169] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0072.169] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodtxt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEODTXT.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceodtxt.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0072.170] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="..") returned 1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2=".") returned 1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Windows") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="MSOCache") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="PerfLogs") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="DVD Maker") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Internet Explorer") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Reference Assemblies") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Windows Defender") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Windows Mail") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Windows Media Player") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Windows NT") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Windows Sidebar") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Startup") returned -1 [0072.170] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="Temp") returned -1 [0072.170] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEOLEDB.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEOLEDB.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEOLEDB.DLL" [0072.170] PathFindExtensionW (pszPath="ACEOLEDB.DLL") returned=".DLL" [0072.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceoledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0072.171] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6c8e8 [0072.171] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c8e8, lpName=0x0) returned 0x248 [0072.171] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0072.361] CloseHandle (hObject=0x248) returned 1 [0072.361] CloseHandle (hObject=0x24c) returned 1 [0072.421] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0072.423] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceoledb.dll"), _Mode="rb+") returned 0x76ea4c68 [0072.423] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0072.423] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0072.423] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0072.435] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceoledb.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEOLEDB.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceoledb.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0072.436] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="..") returned 1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2=".") returned 1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Windows") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="MSOCache") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="PerfLogs") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="DVD Maker") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Internet Explorer") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Reference Assemblies") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Windows Defender") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Windows Mail") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Windows Media Player") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Windows NT") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Windows Sidebar") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Startup") returned -1 [0072.436] lstrcmpW (lpString1="ACETXT.DLL", lpString2="Temp") returned -1 [0072.436] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACETXT.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACETXT.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACETXT.DLL" [0072.436] PathFindExtensionW (pszPath="ACETXT.DLL") returned=".DLL" [0072.436] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acetxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0072.436] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x31ad8 [0072.437] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x31ad8, lpName=0x0) returned 0x248 [0072.437] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0072.723] CloseHandle (hObject=0x248) returned 1 [0072.723] CloseHandle (hObject=0x24c) returned 1 [0072.769] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0072.770] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acetxt.dll"), _Mode="rb+") returned 0x76ea4c68 [0072.770] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0072.770] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0072.770] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0072.775] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acetxt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACETXT.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acetxt.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0072.800] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="..") returned 1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2=".") returned 1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Windows") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="MSOCache") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="PerfLogs") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="DVD Maker") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Internet Explorer") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Reference Assemblies") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Windows Defender") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Windows Mail") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Windows Media Player") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Windows NT") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Windows Sidebar") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Startup") returned -1 [0072.800] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="Temp") returned -1 [0072.800] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEWDAT.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWDAT.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWDAT.DLL" [0072.800] PathFindExtensionW (pszPath="ACEWDAT.DLL") returned=".DLL" [0072.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewdat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0072.801] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2e9080 [0072.801] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x248 [0072.801] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0072.866] CloseHandle (hObject=0x248) returned 1 [0072.867] CloseHandle (hObject=0x24c) returned 1 [0073.026] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0073.037] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewdat.dll"), _Mode="rb+") returned 0x76ea4c68 [0073.038] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0073.038] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0073.038] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0073.093] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewdat.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWDAT.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewdat.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0073.093] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="..") returned 1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2=".") returned 1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Windows") returned -1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="MSOCache") returned -1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="PerfLogs") returned -1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="DVD Maker") returned -1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Internet Explorer") returned -1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Reference Assemblies") returned -1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Windows Defender") returned -1 [0073.093] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Windows Mail") returned -1 [0073.094] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Windows Media Player") returned -1 [0073.094] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Windows NT") returned -1 [0073.094] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Windows Sidebar") returned -1 [0073.094] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Startup") returned -1 [0073.094] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="Temp") returned -1 [0073.094] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ACEWSS.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWSS.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWSS.DLL" [0073.094] PathFindExtensionW (pszPath="ACEWSS.DLL") returned=".DLL" [0073.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewss.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0073.094] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4cae8 [0073.094] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4cae8, lpName=0x0) returned 0x248 [0073.094] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0073.397] CloseHandle (hObject=0x248) returned 1 [0073.397] CloseHandle (hObject=0x24c) returned 1 [0073.421] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0073.422] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewss.dll"), _Mode="rb+") returned 0x76ea4c68 [0073.422] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0073.422] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0073.422] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0073.427] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewss.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ACEWSS.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acewss.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0073.428] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="..") returned 1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2=".") returned 1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Windows") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="MSOCache") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="PerfLogs") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="DVD Maker") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Internet Explorer") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Reference Assemblies") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Windows Defender") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Windows Mail") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Windows Media Player") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Windows NT") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Windows Sidebar") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Startup") returned -1 [0073.428] lstrcmpW (lpString1="ADAL.DLL", lpString2="Temp") returned -1 [0073.428] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="ADAL.DLL" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL" [0073.429] PathFindExtensionW (pszPath="ADAL.DLL") returned=".DLL" [0073.429] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0073.429] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xd52a8 [0073.429] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd52a8, lpName=0x0) returned 0x248 [0073.429] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0073.698] CloseHandle (hObject=0x248) returned 1 [0073.698] CloseHandle (hObject=0x24c) returned 1 [0073.793] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0073.796] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll"), _Mode="rb+") returned 0x76ea4c68 [0073.797] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0073.797] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0073.797] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0073.810] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0073.811] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="..") returned 1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2=".") returned 1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Windows") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="MSOCache") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="PerfLogs") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="DVD Maker") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Internet Explorer") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Reference Assemblies") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Windows Defender") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Windows Mail") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Windows Media Player") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Windows NT") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Windows Sidebar") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Startup") returned -1 [0073.811] lstrcmpW (lpString1="CMigrate.exe", lpString2="Temp") returned -1 [0073.811] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="CMigrate.exe" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CMigrate.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CMigrate.exe" [0073.811] PathFindExtensionW (pszPath="CMigrate.exe") returned=".exe" [0073.811] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CMigrate.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cmigrate.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0073.812] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6c8ad8 [0073.812] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x248 [0073.812] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0073.934] CloseHandle (hObject=0x248) returned 1 [0073.935] CloseHandle (hObject=0x24c) returned 1 [0074.344] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0074.356] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CMigrate.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cmigrate.exe"), _Mode="rb+") returned 0x76ea4c68 [0074.356] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0074.356] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0074.356] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0074.500] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CMigrate.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cmigrate.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CMigrate.exe.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cmigrate.exe.[sepsis@protonmail.com].sepsis")) returned 1 [0074.501] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="..") returned 1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2=".") returned 1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Windows") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="MSOCache") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="PerfLogs") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="DVD Maker") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Internet Explorer") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Reference Assemblies") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Windows Defender") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Windows Mail") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Windows Media Player") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Windows NT") returned -1 [0074.501] lstrcmpW (lpString1="Csi.dll", lpString2="Windows Sidebar") returned -1 [0074.502] lstrcmpW (lpString1="Csi.dll", lpString2="Startup") returned -1 [0074.502] lstrcmpW (lpString1="Csi.dll", lpString2="Temp") returned -1 [0074.502] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="Csi.dll" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Csi.dll") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Csi.dll" [0074.502] PathFindExtensionW (pszPath="Csi.dll") returned=".dll" [0074.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0074.509] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6898c0 [0074.509] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x180000, lpName=0x0) returned 0x248 [0074.510] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0074.510] CloseHandle (hObject=0x248) returned 1 [0074.510] CloseHandle (hObject=0x24c) returned 1 [0074.899] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0074.910] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csi.dll"), _Mode="rb+") returned 0x76ea4c68 [0074.911] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0074.911] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0074.911] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0074.912] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csi.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Csi.dll.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csi.dll.[sepsis@protonmail.com].sepsis")) returned 1 [0074.913] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="..") returned 1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2=".") returned 1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Windows") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="MSOCache") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="PerfLogs") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="DVD Maker") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Internet Explorer") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Reference Assemblies") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Windows Defender") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Windows Mail") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Windows Media Player") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Windows NT") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Windows Sidebar") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Startup") returned -1 [0074.913] lstrcmpW (lpString1="CSISYNCCLIENT.EXE", lpString2="Temp") returned -1 [0074.913] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="CSISYNCCLIENT.EXE" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CSISYNCCLIENT.EXE") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CSISYNCCLIENT.EXE" [0074.913] PathFindExtensionW (pszPath="CSISYNCCLIENT.EXE") returned=".EXE" [0074.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CSISYNCCLIENT.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csisyncclient.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0074.914] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1a4f0 [0074.914] CreateFileMappingW (hFile=0x24c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1a4f0, lpName=0x0) returned 0x248 [0074.914] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0075.046] CloseHandle (hObject=0x248) returned 1 [0075.046] CloseHandle (hObject=0x24c) returned 1 [0075.053] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0075.053] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CSISYNCCLIENT.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csisyncclient.exe"), _Mode="rb+") returned 0x76ea4c68 [0075.054] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.054] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.054] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.054] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CSISYNCCLIENT.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csisyncclient.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\CSISYNCCLIENT.EXE.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csisyncclient.exe.[sepsis@protonmail.com].sepsis")) returned 1 [0075.055] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="..") returned 1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2=".") returned 1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Windows") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="MSOCache") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="PerfLogs") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="DVD Maker") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Internet Explorer") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Reference Assemblies") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Windows Defender") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Windows Mail") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Windows Media Player") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Windows NT") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Windows Sidebar") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Startup") returned -1 [0075.055] lstrcmpW (lpString1="Cultures", lpString2="Temp") returned -1 [0075.055] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="Cultures" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures" [0075.055] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\*.*" [0075.055] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4818 [0075.056] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0075.056] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.056] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="..") returned 1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2=".") returned 1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Windows") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="MSOCache") returned 1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="PerfLogs") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="DVD Maker") returned 1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Internet Explorer") returned 1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Reference Assemblies") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Windows Defender") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Windows Mail") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Windows Media Player") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Windows NT") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Windows Sidebar") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Startup") returned -1 [0075.056] lstrcmpW (lpString1="OFFICE.ODF", lpString2="Temp") returned -1 [0075.056] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures", pszFile="OFFICE.ODF" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\OFFICE.ODF") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\OFFICE.ODF" [0075.056] PathFindExtensionW (pszPath="OFFICE.ODF") returned=".ODF" [0075.056] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cultures\\office.odf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0075.062] FindNextFileW (in: hFindFile=0x4d4818, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0 [0075.062] FindClose (in: hFindFile=0x4d4818 | out: hFindFile=0x4d4818) returned 1 [0075.062] FindNextFileW (in: hFindFile=0x4d4c58, lpFindFileData=0x2acdc50 | out: lpFindFileData=0x2acdc50) returned 1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="..") returned 1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2=".") returned 1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Windows") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="MSOCache") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="PerfLogs") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="DVD Maker") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Internet Explorer") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Reference Assemblies") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Windows Defender") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Windows Mail") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Windows Media Player") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Windows NT") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Windows Sidebar") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Startup") returned -1 [0075.062] lstrcmpW (lpString1="DataModel", lpString2="Temp") returned -1 [0075.062] PathCombineW (in: pszDest=0x2acdea0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15", pszFile="DataModel" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel" [0075.062] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\*.*" [0075.062] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\*.*", lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 0x4d4998 [0075.077] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0075.077] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.077] FindNextFileW (in: hFindFile=0x4d4998, lpFindFileData=0x2acd5d0 | out: lpFindFileData=0x2acd5d0) returned 1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="..") returned 1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2=".") returned 1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Windows") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="MSOCache") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="PerfLogs") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="DVD Maker") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Internet Explorer") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Reference Assemblies") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Windows Defender") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Windows Mail") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Windows Media Player") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Windows NT") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Windows Sidebar") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Startup") returned -1 [0075.077] lstrcmpW (lpString1="Cartridges", lpString2="Temp") returned -1 [0075.077] PathCombineW (in: pszDest=0x2acd820, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel", pszFile="Cartridges" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges" [0075.077] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="*.*" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\*.*") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\*.*" [0075.077] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\*.*", lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 0x4d4a98 [0075.088] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0075.088] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="..") returned 1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2=".") returned 1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Windows") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="MSOCache") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="PerfLogs") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="DVD Maker") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Internet Explorer") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Reference Assemblies") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Windows Defender") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Windows Mail") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Windows Media Player") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Windows NT") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Windows Sidebar") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Startup") returned -1 [0075.088] lstrcmpW (lpString1="as80.xsl", lpString2="Temp") returned -1 [0075.088] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="as80.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as80.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as80.xsl" [0075.088] PathFindExtensionW (pszPath="as80.xsl") returned=".xsl" [0075.088] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as80.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.089] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x43e4 [0075.089] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x43e4, lpName=0x0) returned 0x240 [0075.089] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.119] CloseHandle (hObject=0x240) returned 1 [0075.119] CloseHandle (hObject=0x244) returned 1 [0075.121] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.121] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as80.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.121] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.121] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.121] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.122] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as80.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as80.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as80.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.123] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="..") returned 1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2=".") returned 1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Windows") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="MSOCache") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="PerfLogs") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="DVD Maker") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Internet Explorer") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Reference Assemblies") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Windows Defender") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Windows Mail") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Windows Media Player") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Windows NT") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Windows Sidebar") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Startup") returned -1 [0075.123] lstrcmpW (lpString1="as90.xsl", lpString2="Temp") returned -1 [0075.123] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="as90.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as90.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as90.xsl" [0075.123] PathFindExtensionW (pszPath="as90.xsl") returned=".xsl" [0075.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.123] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x49ba [0075.123] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x49ba, lpName=0x0) returned 0x240 [0075.124] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.124] CloseHandle (hObject=0x240) returned 1 [0075.124] CloseHandle (hObject=0x244) returned 1 [0075.127] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.127] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as90.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.127] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.127] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.127] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.128] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as90.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\as90.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\as90.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.128] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.128] lstrcmpW (lpString1="db2v0801.xsl", lpString2="..") returned 1 [0075.128] lstrcmpW (lpString1="db2v0801.xsl", lpString2=".") returned 1 [0075.128] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Windows") returned -1 [0075.128] lstrcmpW (lpString1="db2v0801.xsl", lpString2="MSOCache") returned -1 [0075.128] lstrcmpW (lpString1="db2v0801.xsl", lpString2="PerfLogs") returned -1 [0075.128] lstrcmpW (lpString1="db2v0801.xsl", lpString2="DVD Maker") returned -1 [0075.128] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Internet Explorer") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Reference Assemblies") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Windows Defender") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Windows Mail") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Windows Media Player") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Windows NT") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Windows Sidebar") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Startup") returned -1 [0075.129] lstrcmpW (lpString1="db2v0801.xsl", lpString2="Temp") returned -1 [0075.129] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="db2v0801.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\db2v0801.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\db2v0801.xsl" [0075.129] PathFindExtensionW (pszPath="db2v0801.xsl") returned=".xsl" [0075.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\db2v0801.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\db2v0801.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.129] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7584 [0075.129] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7584, lpName=0x0) returned 0x240 [0075.129] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.139] CloseHandle (hObject=0x240) returned 1 [0075.139] CloseHandle (hObject=0x244) returned 1 [0075.142] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.142] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\db2v0801.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\db2v0801.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.142] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.142] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.142] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.143] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\db2v0801.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\db2v0801.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\db2v0801.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\db2v0801.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.143] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="..") returned 1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2=".") returned 1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Windows") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="MSOCache") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="PerfLogs") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="DVD Maker") returned 1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Internet Explorer") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Reference Assemblies") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Windows Defender") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Windows Mail") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Windows Media Player") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Windows NT") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Windows Sidebar") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Startup") returned -1 [0075.144] lstrcmpW (lpString1="informix.xsl", lpString2="Temp") returned -1 [0075.144] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="informix.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\informix.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\informix.xsl" [0075.144] PathFindExtensionW (pszPath="informix.xsl") returned=".xsl" [0075.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\informix.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.144] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7b27 [0075.144] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7b27, lpName=0x0) returned 0x240 [0075.145] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.145] CloseHandle (hObject=0x240) returned 1 [0075.145] CloseHandle (hObject=0x244) returned 1 [0075.164] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.165] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\informix.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\informix.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.165] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.165] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.165] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.166] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\informix.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\informix.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\informix.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\informix.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.167] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="..") returned 1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2=".") returned 1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Windows") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="MSOCache") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="PerfLogs") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="DVD Maker") returned 1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Internet Explorer") returned 1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Reference Assemblies") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Windows Defender") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Windows Mail") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Windows Media Player") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Windows NT") returned -1 [0075.167] lstrcmpW (lpString1="msjet.xsl", lpString2="Windows Sidebar") returned -1 [0075.168] lstrcmpW (lpString1="msjet.xsl", lpString2="Startup") returned -1 [0075.168] lstrcmpW (lpString1="msjet.xsl", lpString2="Temp") returned -1 [0075.168] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="msjet.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\msjet.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\msjet.xsl" [0075.168] PathFindExtensionW (pszPath="msjet.xsl") returned=".xsl" [0075.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.168] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7339 [0075.168] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7339, lpName=0x0) returned 0x240 [0075.168] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.192] CloseHandle (hObject=0x240) returned 1 [0075.192] CloseHandle (hObject=0x244) returned 1 [0075.197] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.197] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\msjet.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.197] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.197] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.197] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\msjet.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\msjet.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\msjet.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.199] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="..") returned 1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2=".") returned 1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Windows") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="MSOCache") returned 1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="PerfLogs") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="DVD Maker") returned 1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Internet Explorer") returned 1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Reference Assemblies") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Windows Defender") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Windows Mail") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Windows Media Player") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Windows NT") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Windows Sidebar") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Startup") returned -1 [0075.199] lstrcmpW (lpString1="orcl7.xsl", lpString2="Temp") returned -1 [0075.199] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="orcl7.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\orcl7.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\orcl7.xsl" [0075.199] PathFindExtensionW (pszPath="orcl7.xsl") returned=".xsl" [0075.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\orcl7.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\orcl7.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.200] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8a05 [0075.200] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8a05, lpName=0x0) returned 0x240 [0075.200] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.229] CloseHandle (hObject=0x240) returned 1 [0075.229] CloseHandle (hObject=0x244) returned 1 [0075.232] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.232] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\orcl7.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\orcl7.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.232] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.233] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.233] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.233] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\orcl7.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\orcl7.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\orcl7.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\orcl7.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.234] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="..") returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2=".") returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="Windows") returned -1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="MSOCache") returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="PerfLogs") returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="DVD Maker") returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="Internet Explorer") returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="Reference Assemblies") returned 1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="Windows Defender") returned -1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="Windows Mail") returned -1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="Windows Media Player") returned -1 [0075.234] lstrcmpW (lpString1="sql2000.xsl", lpString2="Windows NT") returned -1 [0075.235] lstrcmpW (lpString1="sql2000.xsl", lpString2="Windows Sidebar") returned -1 [0075.235] lstrcmpW (lpString1="sql2000.xsl", lpString2="Startup") returned -1 [0075.235] lstrcmpW (lpString1="sql2000.xsl", lpString2="Temp") returned -1 [0075.235] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="sql2000.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql2000.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql2000.xsl" [0075.235] PathFindExtensionW (pszPath="sql2000.xsl") returned=".xsl" [0075.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.235] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x858c [0075.236] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x858c, lpName=0x0) returned 0x240 [0075.236] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.236] CloseHandle (hObject=0x240) returned 1 [0075.236] CloseHandle (hObject=0x244) returned 1 [0075.269] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.269] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql2000.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.270] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.270] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.270] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.270] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql2000.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql2000.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql2000.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.271] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="..") returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2=".") returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="Windows") returned -1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="MSOCache") returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="PerfLogs") returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="DVD Maker") returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="Internet Explorer") returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="Reference Assemblies") returned 1 [0075.271] lstrcmpW (lpString1="sql70.xsl", lpString2="Windows Defender") returned -1 [0075.272] lstrcmpW (lpString1="sql70.xsl", lpString2="Windows Mail") returned -1 [0075.272] lstrcmpW (lpString1="sql70.xsl", lpString2="Windows Media Player") returned -1 [0075.272] lstrcmpW (lpString1="sql70.xsl", lpString2="Windows NT") returned -1 [0075.272] lstrcmpW (lpString1="sql70.xsl", lpString2="Windows Sidebar") returned -1 [0075.272] lstrcmpW (lpString1="sql70.xsl", lpString2="Startup") returned -1 [0075.272] lstrcmpW (lpString1="sql70.xsl", lpString2="Temp") returned -1 [0075.272] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="sql70.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql70.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql70.xsl" [0075.272] PathFindExtensionW (pszPath="sql70.xsl") returned=".xsl" [0075.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.272] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7e02 [0075.272] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e02, lpName=0x0) returned 0x240 [0075.273] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c0000 [0075.317] CloseHandle (hObject=0x240) returned 1 [0075.317] CloseHandle (hObject=0x244) returned 1 [0075.321] UnmapViewOfFile (lpBaseAddress=0x2c0000) returned 1 [0075.321] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql70.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.321] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.321] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.321] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql70.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql70.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql70.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.322] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="..") returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2=".") returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Windows") returned -1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="MSOCache") returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="PerfLogs") returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="DVD Maker") returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Internet Explorer") returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Reference Assemblies") returned 1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Windows Defender") returned -1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Windows Mail") returned -1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Windows Media Player") returned -1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Windows NT") returned -1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Windows Sidebar") returned -1 [0075.322] lstrcmpW (lpString1="sql90.xsl", lpString2="Startup") returned -1 [0075.323] lstrcmpW (lpString1="sql90.xsl", lpString2="Temp") returned -1 [0075.323] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="sql90.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql90.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql90.xsl" [0075.323] PathFindExtensionW (pszPath="sql90.xsl") returned=".xsl" [0075.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.323] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x16beb [0075.323] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16beb, lpName=0x0) returned 0x240 [0075.323] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0075.354] CloseHandle (hObject=0x240) returned 1 [0075.354] CloseHandle (hObject=0x244) returned 1 [0075.403] UnmapViewOfFile (lpBaseAddress=0x2ad0000) returned 1 [0075.404] _wfopen (_FileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql90.xsl"), _Mode="rb+") returned 0x76ea4c68 [0075.405] fseek (in: _File=0x76ea4c68, _Offset=0, _Origin=2 | out: _File=0x76ea4c68) returned 0 [0075.405] fwrite (in: _Str=0x4658f8*, _Size=0x1, _Count=0xb4, _File=0x76ea4c68 | out: _Str=0x4658f8*, _File=0x76ea4c68) returned 0xb4 [0075.405] fclose (in: _File=0x76ea4c68 | out: _File=0x76ea4c68) returned 0 [0075.406] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql90.xsl"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sql90.xsl.[Sepsis@protonmail.com].SEPSIS" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sql90.xsl.[sepsis@protonmail.com].sepsis")) returned 1 [0075.406] FindNextFileW (in: hFindFile=0x4d4a98, lpFindFileData=0x2accf50 | out: lpFindFileData=0x2accf50) returned 1 [0075.406] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="..") returned 1 [0075.406] lstrcmpW (lpString1="sqlpdw.xsl", lpString2=".") returned 1 [0075.406] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Windows") returned -1 [0075.406] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="MSOCache") returned 1 [0075.406] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="PerfLogs") returned 1 [0075.406] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="DVD Maker") returned 1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Internet Explorer") returned 1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Reference Assemblies") returned 1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Windows Defender") returned -1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Windows Mail") returned -1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Windows Media Player") returned -1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Windows NT") returned -1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Windows Sidebar") returned -1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Startup") returned -1 [0075.407] lstrcmpW (lpString1="sqlpdw.xsl", lpString2="Temp") returned -1 [0075.407] PathCombineW (in: pszDest=0x2acd1a0, pszDir="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges", pszFile="sqlpdw.xsl" | out: pszDest="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sqlpdw.xsl") returned="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sqlpdw.xsl" [0075.407] PathFindExtensionW (pszPath="sqlpdw.xsl") returned=".xsl" [0075.407] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\DataModel\\Cartridges\\sqlpdw.xsl" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\datamodel\\cartridges\\sqlpdw.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x244 [0075.408] GetFileSize (in: hFile=0x244, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1202c [0075.408] CreateFileMappingW (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1202c, lpName=0x0) returned 0x240 [0075.408] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ad0000 [0075.430] CloseHandle (hObject=0x240) returned 1 [0075.430] CloseHandle (hObject=0x244) returned 1 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x21ffe000" os_pid = "0xaf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xac4" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 355 start_va = 0x7f4d5000 end_va = 0x7f4d5fff entry_point = 0x0 region_type = private name = "private_0x000000007f4d5000" filename = "" Region: id = 356 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 357 start_va = 0xb76a280000 end_va = 0xb76a29ffff entry_point = 0x0 region_type = private name = "private_0x000000b76a280000" filename = "" Region: id = 358 start_va = 0xb76a2a0000 end_va = 0xb76a2aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b76a2a0000" filename = "" Region: id = 359 start_va = 0xb76a2b0000 end_va = 0xb76a3affff entry_point = 0x0 region_type = private name = "private_0x000000b76a2b0000" filename = "" Region: id = 360 start_va = 0xb76a3b0000 end_va = 0xb76a3b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b76a3b0000" filename = "" Region: id = 361 start_va = 0xb76a3c0000 end_va = 0xb76a3c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b76a3c0000" filename = "" Region: id = 362 start_va = 0xb76a3d0000 end_va = 0xb76a3d1fff entry_point = 0x0 region_type = private name = "private_0x000000b76a3d0000" filename = "" Region: id = 363 start_va = 0x7ff639510000 end_va = 0x7ff639532fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff639510000" filename = "" Region: id = 364 start_va = 0x7ff639533000 end_va = 0x7ff639533fff entry_point = 0x0 region_type = private name = "private_0x00007ff639533000" filename = "" Region: id = 365 start_va = 0x7ff63953e000 end_va = 0x7ff63953ffff entry_point = 0x0 region_type = private name = "private_0x00007ff63953e000" filename = "" Region: id = 366 start_va = 0x7ff639dc0000 end_va = 0x7ff639e1afff entry_point = 0x7ff639dc0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 367 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 371 start_va = 0xb76a5c0000 end_va = 0xb76a6bffff entry_point = 0x0 region_type = private name = "private_0x000000b76a5c0000" filename = "" Region: id = 372 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 373 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 425 start_va = 0xb76a280000 end_va = 0xb76a28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b76a280000" filename = "" Region: id = 426 start_va = 0xb76a3e0000 end_va = 0xb76a45dfff entry_point = 0xb76a3e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 427 start_va = 0x7ff639410000 end_va = 0x7ff63950ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff639410000" filename = "" Region: id = 428 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 429 start_va = 0xb76a290000 end_va = 0xb76a296fff entry_point = 0x0 region_type = private name = "private_0x000000b76a290000" filename = "" Region: id = 430 start_va = 0xb76a580000 end_va = 0xb76a58ffff entry_point = 0x0 region_type = private name = "private_0x000000b76a580000" filename = "" Region: id = 431 start_va = 0xb76a6c0000 end_va = 0xb76a994fff entry_point = 0xb76a6c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 13 os_tid = 0xaf4 [0050.057] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff639dc0000 [0050.057] __set_app_type (_Type=0x1) [0050.059] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff639ddace0) returned 0x0 [0050.059] __getmainargs (in: _Argc=0x7ff639dfe724, _Argv=0x7ff639dfe728, _Env=0x7ff639dfe730, _DoWildCard=0, _StartInfo=0x7ff639ded0c4 | out: _Argc=0x7ff639dfe724, _Argv=0x7ff639dfe728, _Env=0x7ff639dfe730) returned 0 [0050.060] GetCurrentThreadId () returned 0xaf4 [0050.060] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaf4) returned 0x28 [0050.061] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffb1b140000 [0050.061] GetProcAddress (hModule=0x7ffb1b140000, lpProcName="SetThreadUILanguage") returned 0x7ffb1b149180 [0050.061] SetThreadUILanguage (LangId=0x0) returned 0x409 [0050.062] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0050.062] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xb76a3afc68 | out: phkResult=0xb76a3afc68*=0x0) returned 0x2 [0050.062] VirtualQuery (in: lpAddress=0xb76a3afc54, lpBuffer=0xb76a3afbd0, dwLength=0x30 | out: lpBuffer=0xb76a3afbd0*(BaseAddress=0xb76a3af000, AllocationBase=0xb76a2b0000, AllocationProtect=0x4, __alignment1=0xb7, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0050.062] VirtualQuery (in: lpAddress=0xb76a2b0000, lpBuffer=0xb76a3afbd0, dwLength=0x30 | out: lpBuffer=0xb76a3afbd0*(BaseAddress=0xb76a2b0000, AllocationBase=0xb76a2b0000, AllocationProtect=0x4, __alignment1=0xb7, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0050.062] VirtualQuery (in: lpAddress=0xb76a2b1000, lpBuffer=0xb76a3afbd0, dwLength=0x30 | out: lpBuffer=0xb76a3afbd0*(BaseAddress=0xb76a2b1000, AllocationBase=0xb76a2b0000, AllocationProtect=0x4, __alignment1=0xb7, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0050.062] VirtualQuery (in: lpAddress=0xb76a2b4000, lpBuffer=0xb76a3afbd0, dwLength=0x30 | out: lpBuffer=0xb76a3afbd0*(BaseAddress=0xb76a2b4000, AllocationBase=0xb76a2b0000, AllocationProtect=0x4, __alignment1=0xb7, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0050.062] VirtualQuery (in: lpAddress=0xb76a3b0000, lpBuffer=0xb76a3afbd0, dwLength=0x30 | out: lpBuffer=0xb76a3afbd0*(BaseAddress=0xb76a3b0000, AllocationBase=0xb76a3b0000, AllocationProtect=0x2, __alignment1=0xb7, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0050.062] GetConsoleOutputCP () returned 0x1b5 [0050.062] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff639dfa120 | out: lpCPInfo=0x7ff639dfa120) returned 1 [0050.063] SetConsoleCtrlHandler (HandlerRoutine=0x7ff639de62a4, Add=1) returned 1 [0050.063] _get_osfhandle (_FileHandle=1) returned 0x1c [0050.063] SetConsoleMode (hConsoleHandle=0x1c, dwMode=0x0) returned 1 [0050.063] _get_osfhandle (_FileHandle=1) returned 0x1c [0050.063] GetConsoleMode (in: hConsoleHandle=0x1c, lpMode=0x7ff639ded150 | out: lpMode=0x7ff639ded150) returned 1 [0050.064] _get_osfhandle (_FileHandle=1) returned 0x1c [0050.064] SetConsoleMode (hConsoleHandle=0x1c, dwMode=0x3) returned 1 [0050.064] _get_osfhandle (_FileHandle=0) returned 0x18 [0050.064] GetConsoleMode (in: hConsoleHandle=0x18, lpMode=0x7ff639ded14c | out: lpMode=0x7ff639ded14c) returned 1 [0050.065] _get_osfhandle (_FileHandle=0) returned 0x18 [0050.065] SetConsoleMode (hConsoleHandle=0x18, dwMode=0x1a7) returned 1 [0050.067] GetEnvironmentStringsW () returned 0xb76a5c4a40* [0050.068] FreeEnvironmentStringsA (penv="A") returned 1 [0050.068] GetEnvironmentStringsW () returned 0xb76a5c4a40* [0050.068] FreeEnvironmentStringsA (penv="A") returned 1 [0050.068] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xb76a3aeb18 | out: phkResult=0xb76a3aeb18*=0x34) returned 0x0 [0050.072] RegQueryValueExW (in: hKey=0x34, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x0, lpData=0xb76a3aeb30*=0x0, lpcbData=0xb76a3aeb14*=0x1000) returned 0x2 [0050.072] RegQueryValueExW (in: hKey=0x34, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x1, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.072] RegQueryValueExW (in: hKey=0x34, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x0, lpData=0xb76a3aeb30*=0x1, lpcbData=0xb76a3aeb14*=0x1000) returned 0x2 [0050.072] RegQueryValueExW (in: hKey=0x34, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x0, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.072] RegQueryValueExW (in: hKey=0x34, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x40, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.072] RegQueryValueExW (in: hKey=0x34, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x40, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="AutoRun", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x0, lpData=0xb76a3aeb30*=0x40, lpcbData=0xb76a3aeb14*=0x1000) returned 0x2 [0050.073] RegCloseKey (hKey=0x34) returned 0x0 [0050.073] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xb76a3aeb18 | out: phkResult=0xb76a3aeb18*=0x34) returned 0x0 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x0, lpData=0xb76a3aeb30*=0x40, lpcbData=0xb76a3aeb14*=0x1000) returned 0x2 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x1, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x0, lpData=0xb76a3aeb30*=0x1, lpcbData=0xb76a3aeb14*=0x1000) returned 0x2 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x0, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x9, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x4, lpData=0xb76a3aeb30*=0x9, lpcbData=0xb76a3aeb14*=0x4) returned 0x0 [0050.073] RegQueryValueExW (in: hKey=0x34, lpValueName="AutoRun", lpReserved=0x0, lpType=0xb76a3aeb10, lpData=0xb76a3aeb30, lpcbData=0xb76a3aeb14*=0x1000 | out: lpType=0xb76a3aeb10*=0x0, lpData=0xb76a3aeb30*=0x9, lpcbData=0xb76a3aeb14*=0x1000) returned 0x2 [0050.073] RegCloseKey (hKey=0x34) returned 0x0 [0050.073] time (in: timer=0x0 | out: timer=0x0) returned 0x5afc500c [0050.073] srand (_Seed=0x5afc500c) [0050.073] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" [0050.073] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" [0050.074] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff639dfa160 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0050.074] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb76a5c6760, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0050.074] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0050.074] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0050.074] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0050.074] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0050.074] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0050.074] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0050.074] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0050.074] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0050.074] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0050.074] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0050.074] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0050.074] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0050.074] GetEnvironmentStringsW () returned 0xb76a5c4a40* [0050.074] FreeEnvironmentStringsA (penv="A") returned 1 [0050.074] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0050.075] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0050.075] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0050.075] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0050.075] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0050.075] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0050.075] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0050.075] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0050.075] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0050.075] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0050.075] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xb76a3af920 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0050.075] GetFullPathNameW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", nBufferLength=0x104, lpBuffer=0xb76a3af920, lpFilePart=0xb76a3af900 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb76a3af900*="Desktop") returned 0x1c [0050.075] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0050.075] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0xb76a3af630 | out: lpFindFileData=0xb76a3af630) returned 0xb76a5c7390 [0050.075] FindClose (in: hFindFile=0xb76a5c7390 | out: hFindFile=0xb76a5c7390) returned 1 [0050.075] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp", lpFindFileData=0xb76a3af630 | out: lpFindFileData=0xb76a3af630) returned 0xb76a5c7390 [0050.076] FindClose (in: hFindFile=0xb76a5c7390 | out: hFindFile=0xb76a5c7390) returned 1 [0050.076] _wcsnicmp (_String1="5JGHKO~1", _String2="5JgHKoaOfdp", _MaxCount=0xb) returned 29 [0050.076] FindFirstFileW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFindFileData=0xb76a3af630 | out: lpFindFileData=0xb76a3af630) returned 0xb76a5c7390 [0050.076] FindClose (in: hFindFile=0xb76a5c7390 | out: hFindFile=0xb76a5c7390) returned 1 [0050.076] GetFileAttributesW (lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 0x11 [0050.076] SetCurrentDirectoryW (lpPathName="C:\\Users\\5JgHKoaOfdp\\Desktop" (normalized: "c:\\users\\5jghkoaofdp\\desktop")) returned 1 [0050.076] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 1 [0050.076] GetEnvironmentStringsW () returned 0xb76a5c4a40* [0050.076] FreeEnvironmentStringsA (penv="=") returned 1 [0050.076] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff639dfa160 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop") returned 0x1c [0050.077] GetConsoleOutputCP () returned 0x1b5 [0050.082] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff639dfa120 | out: lpCPInfo=0x7ff639dfa120) returned 1 [0050.082] GetUserDefaultLCID () returned 0x409 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff639dfe680, cchData=8 | out: lpLCData=":") returned 2 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xb76a3afa50, cchData=128 | out: lpLCData="0") returned 2 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xb76a3afa50, cchData=128 | out: lpLCData="0") returned 2 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xb76a3afa50, cchData=128 | out: lpLCData="1") returned 2 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff639dfe8b0, cchData=8 | out: lpLCData="/") returned 2 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff639dfe8e0, cchData=32 | out: lpLCData="Mon") returned 4 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff639dfe920, cchData=32 | out: lpLCData="Tue") returned 4 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff639dfe960, cchData=32 | out: lpLCData="Wed") returned 4 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff639dfe6a0, cchData=32 | out: lpLCData="Thu") returned 4 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff639dfe6e0, cchData=32 | out: lpLCData="Fri") returned 4 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff639dfe9a0, cchData=32 | out: lpLCData="Sat") returned 4 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff639dfe9e0, cchData=32 | out: lpLCData="Sun") returned 4 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff639dfe690, cchData=8 | out: lpLCData=".") returned 2 [0050.083] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff639dfe8c0, cchData=8 | out: lpLCData=",") returned 2 [0050.084] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0050.084] GetConsoleTitleW (in: lpConsoleTitle=0xb76a5c0a20, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0050.085] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffb1b140000 [0050.085] GetProcAddress (hModule=0x7ffb1b140000, lpProcName="CopyFileExW") returned 0x7ffb1b14493c [0050.085] GetProcAddress (hModule=0x7ffb1b140000, lpProcName="IsDebuggerPresent") returned 0x7ffb1b142d40 [0050.085] GetProcAddress (hModule=0x7ffb1b140000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffb1adf0750 [0050.087] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0050.087] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0050.087] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0050.087] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0050.087] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0050.087] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0050.087] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0050.089] _wcsicmp (_String1="bcdedit.exe", _String2=")") returned 57 [0050.089] _wcsicmp (_String1="FOR", _String2="bcdedit.exe") returned 4 [0050.089] _wcsicmp (_String1="FOR/?", _String2="bcdedit.exe") returned 4 [0050.089] _wcsicmp (_String1="IF", _String2="bcdedit.exe") returned 7 [0050.089] _wcsicmp (_String1="IF/?", _String2="bcdedit.exe") returned 7 [0050.089] _wcsicmp (_String1="REM", _String2="bcdedit.exe") returned 16 [0050.089] _wcsicmp (_String1="REM/?", _String2="bcdedit.exe") returned 16 [0050.090] _wcsicmp (_String1="bcdedit.exe", _String2=")") returned 57 [0050.090] _wcsicmp (_String1="FOR", _String2="bcdedit.exe") returned 4 [0050.090] _wcsicmp (_String1="FOR/?", _String2="bcdedit.exe") returned 4 [0050.090] _wcsicmp (_String1="IF", _String2="bcdedit.exe") returned 7 [0050.090] _wcsicmp (_String1="IF/?", _String2="bcdedit.exe") returned 7 [0050.090] _wcsicmp (_String1="REM", _String2="bcdedit.exe") returned 16 [0050.090] _wcsicmp (_String1="REM/?", _String2="bcdedit.exe") returned 16 [0050.092] GetConsoleTitleW (in: lpConsoleTitle=0xb76a3af880, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0050.093] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\vssadmin.exe")) returned 0xffffffff [0050.093] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0050.093] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0050.093] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0050.093] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0050.093] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0050.093] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0050.093] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0050.093] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0050.093] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0050.093] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0050.093] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0050.093] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0050.093] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0050.093] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0050.094] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0050.094] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0050.094] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0050.094] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0050.094] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0050.094] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0050.094] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0050.094] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0050.094] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0050.094] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0050.094] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0050.094] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0050.094] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0050.094] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0050.094] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0050.094] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0050.094] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0050.094] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0050.094] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0050.094] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0050.094] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0050.094] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0050.094] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0050.094] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0050.094] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0050.094] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0050.094] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0050.094] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0050.094] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0050.094] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0050.094] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0050.094] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0050.094] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0050.094] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0050.094] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0050.094] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0050.094] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0050.094] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0050.094] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0050.094] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0050.094] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0050.095] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0050.095] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0050.095] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0050.095] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0050.095] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0050.095] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0050.095] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0050.095] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0050.095] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0050.095] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0050.095] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0050.095] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0050.095] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0050.095] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0050.095] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0050.095] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0050.095] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0050.095] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0050.095] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0050.095] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0050.095] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0050.095] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0050.095] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0050.095] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0050.095] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0050.095] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0050.095] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0050.095] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0050.095] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0050.095] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0050.095] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0050.095] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0050.096] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0050.096] SetErrorMode (uMode=0x0) returned 0x0 [0050.096] SetErrorMode (uMode=0x1) returned 0x0 [0050.096] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb76a5c6ba0, lpFilePart=0xb76a3af120 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb76a3af120*="Desktop") returned 0x1c [0050.096] SetErrorMode (uMode=0x0) returned 0x1 [0050.096] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0050.096] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0050.101] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0050.103] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.103] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0xb76a3aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aeea0) returned 0xffffffffffffffff [0050.103] GetLastError () returned 0x2 [0050.103] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0xb76a3aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aeea0) returned 0xffffffffffffffff [0050.104] GetLastError () returned 0x2 [0050.104] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0050.104] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0xb76a3aeea0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aeea0) returned 0xb76a5c6ef0 [0050.104] FindClose (in: hFindFile=0xb76a5c6ef0 | out: hFindFile=0xb76a5c6ef0) returned 1 [0050.104] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0050.104] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0050.104] GetConsoleTitleW (in: lpConsoleTitle=0xb76a3af400, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0050.104] InitializeProcThreadAttributeList (in: lpAttributeList=0xb76a3af320, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xb76a3af220 | out: lpAttributeList=0xb76a3af320, lpSize=0xb76a3af220) returned 1 [0050.104] UpdateProcThreadAttribute (in: lpAttributeList=0xb76a3af320, dwFlags=0x0, Attribute=0x60001, lpValue=0xb76a3af208, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xb76a3af320, lpPreviousValue=0x0) returned 1 [0050.104] GetStartupInfoW (in: lpStartupInfo=0xb76a3af2b0 | out: lpStartupInfo=0xb76a3af2b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0050.104] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0050.105] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0050.105] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0050.107] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xb76a3af240*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb76a3af228 | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet ", lpProcessInformation=0xb76a3af228*(hProcess=0x48, hThread=0x44, dwProcessId=0xad8, dwThreadId=0xb18)) returned 1 [0050.320] CloseHandle (hObject=0x44) returned 1 [0050.320] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0050.320] GetEnvironmentStringsW () returned 0xb76a5c5020* [0050.320] FreeEnvironmentStringsA (penv="=") returned 1 [0050.320] WaitForSingleObject (hHandle=0x48, dwMilliseconds=0xffffffff) returned 0x0 [0067.500] GetExitCodeProcess (in: hProcess=0x48, lpExitCode=0xb76a3af1a8 | out: lpExitCode=0xb76a3af1a8*=0x0) returned 1 [0067.500] CloseHandle (hObject=0x48) returned 1 [0067.500] _vsnwprintf (in: _Buffer=0xb76a3af368, _BufferCount=0x13, _Format="%08X", _ArgList=0xb76a3af1b8 | out: _Buffer="00000000") returned 8 [0067.500] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0067.501] GetEnvironmentStringsW () returned 0xb76a5c7120* [0067.501] FreeEnvironmentStringsA (penv="=") returned 1 [0067.501] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0067.501] GetEnvironmentStringsW () returned 0xb76a5c7120* [0067.501] FreeEnvironmentStringsA (penv="=") returned 1 [0067.501] DeleteProcThreadAttributeList (in: lpAttributeList=0xb76a3af320 | out: lpAttributeList=0xb76a3af320) [0067.501] GetConsoleTitleW (in: lpConsoleTitle=0xb76a3af7f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0067.522] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\bcdedit.exe")) returned 0xffffffff [0067.522] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0067.522] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0067.522] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0067.522] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0067.522] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0067.522] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0067.522] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0067.522] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0067.522] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0067.522] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0067.522] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0067.522] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0067.522] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0067.522] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0067.522] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0067.522] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0067.522] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0067.522] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0067.523] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0067.523] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0067.523] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0067.523] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0067.523] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0067.523] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0067.523] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0067.523] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0067.523] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0067.523] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0067.523] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0067.523] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0067.523] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0067.523] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0067.523] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0067.523] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0067.523] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0067.523] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0067.523] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0067.523] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0067.523] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0067.523] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0067.523] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0067.523] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0067.523] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0067.523] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0067.523] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0067.524] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0067.524] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0067.524] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0067.524] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0067.524] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0067.524] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0067.524] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0067.524] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0067.524] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0067.524] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0067.524] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0067.524] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0067.524] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0067.524] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0067.524] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0067.524] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0067.524] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0067.524] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0067.524] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0067.524] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0067.524] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0067.524] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0067.524] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0067.524] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0067.524] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0067.524] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0067.524] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0067.524] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0067.525] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0067.525] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0067.525] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0067.525] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0067.525] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0067.525] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0067.525] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0067.525] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0067.525] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0067.525] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0067.525] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0067.525] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0067.525] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0067.525] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0067.526] SetErrorMode (uMode=0x0) returned 0x0 [0067.526] SetErrorMode (uMode=0x1) returned 0x0 [0067.526] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb76a5c7130, lpFilePart=0xb76a3af090 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb76a3af090*="Desktop") returned 0x1c [0067.526] SetErrorMode (uMode=0x0) returned 0x1 [0067.526] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0067.526] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0067.526] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0067.526] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.526] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0xb76a3aee10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aee10) returned 0xffffffffffffffff [0067.528] GetLastError () returned 0x2 [0067.528] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\bcdedit.exe.*", fInfoLevelId=0x1, lpFindFileData=0xb76a3aee10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aee10) returned 0xffffffffffffffff [0067.528] GetLastError () returned 0x2 [0067.528] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0067.529] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0xb76a3aee10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aee10) returned 0xb76a5c5ce0 [0067.529] FindClose (in: hFindFile=0xb76a5c5ce0 | out: hFindFile=0xb76a5c5ce0) returned 1 [0067.529] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0067.529] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0067.529] GetConsoleTitleW (in: lpConsoleTitle=0xb76a3af370, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0067.529] InitializeProcThreadAttributeList (in: lpAttributeList=0xb76a3af290, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xb76a3af190 | out: lpAttributeList=0xb76a3af290, lpSize=0xb76a3af190) returned 1 [0067.530] UpdateProcThreadAttribute (in: lpAttributeList=0xb76a3af290, dwFlags=0x0, Attribute=0x60001, lpValue=0xb76a3af178, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xb76a3af290, lpPreviousValue=0x0) returned 1 [0067.530] GetStartupInfoW (in: lpStartupInfo=0xb76a3af220 | out: lpStartupInfo=0xb76a3af220*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0067.530] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0067.531] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0067.531] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0067.531] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {default} recoveryenabled no ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xb76a3af1b0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit.exe /set {default} recoveryenabled no ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb76a3af198 | out: lpCommandLine="bcdedit.exe /set {default} recoveryenabled no ", lpProcessInformation=0xb76a3af198*(hProcess=0x44, hThread=0x48, dwProcessId=0x8dc, dwThreadId=0x940)) returned 1 [0067.861] CloseHandle (hObject=0x48) returned 1 [0067.861] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0067.861] GetEnvironmentStringsW () returned 0xb76a5c7480* [0067.861] FreeEnvironmentStringsA (penv="=") returned 1 [0067.861] WaitForSingleObject (hHandle=0x44, dwMilliseconds=0xffffffff) returned 0x0 [0069.161] GetExitCodeProcess (in: hProcess=0x44, lpExitCode=0xb76a3af118 | out: lpExitCode=0xb76a3af118*=0x0) returned 1 [0069.161] CloseHandle (hObject=0x44) returned 1 [0069.161] _vsnwprintf (in: _Buffer=0xb76a3af2d8, _BufferCount=0x13, _Format="%08X", _ArgList=0xb76a3af128 | out: _Buffer="00000000") returned 8 [0069.161] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0069.161] GetEnvironmentStringsW () returned 0xb76a5c7480* [0069.161] FreeEnvironmentStringsA (penv="=") returned 1 [0069.161] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0069.161] GetEnvironmentStringsW () returned 0xb76a5c7480* [0069.161] FreeEnvironmentStringsA (penv="=") returned 1 [0069.161] DeleteProcThreadAttributeList (in: lpAttributeList=0xb76a3af290 | out: lpAttributeList=0xb76a3af290) [0069.161] GetConsoleTitleW (in: lpConsoleTitle=0xb76a3af820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.162] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\users\\5jghkoaofdp\\desktop\\bcdedit.exe")) returned 0xffffffff [0069.162] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0069.162] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0069.162] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0069.162] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0069.162] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0069.162] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0069.162] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0069.162] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0069.162] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0069.162] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0069.162] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0069.162] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0069.162] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0069.162] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0069.162] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0069.162] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0069.162] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0069.162] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0069.162] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0069.162] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0069.162] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0069.162] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0069.162] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0069.162] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0069.162] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0069.163] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0069.163] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0069.163] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0069.163] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0069.163] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0069.163] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0069.163] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0069.163] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0069.163] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0069.163] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0069.163] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0069.163] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0069.163] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0069.163] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0069.163] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0069.163] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0069.163] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0069.163] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0069.163] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0069.163] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0069.163] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0069.163] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0069.163] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0069.163] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0069.163] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0069.163] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0069.163] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0069.163] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0069.163] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0069.163] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0069.163] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0069.163] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0069.163] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0069.163] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0069.163] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0069.163] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0069.163] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0069.163] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0069.164] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0069.164] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0069.164] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0069.164] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0069.164] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0069.164] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0069.164] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0069.164] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0069.164] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0069.164] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0069.164] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0069.164] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0069.164] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0069.164] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0069.164] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0069.164] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0069.164] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0069.164] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0069.164] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0069.164] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0069.164] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0069.164] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0069.164] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0069.164] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0069.164] SetErrorMode (uMode=0x0) returned 0x0 [0069.164] SetErrorMode (uMode=0x1) returned 0x0 [0069.164] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xb76a5c76b0, lpFilePart=0xb76a3af0c0 | out: lpBuffer="C:\\Users\\5JgHKoaOfdp\\Desktop", lpFilePart=0xb76a3af0c0*="Desktop") returned 0x1c [0069.164] SetErrorMode (uMode=0x0) returned 0x1 [0069.164] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0069.164] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0069.165] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff639dee100, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0069.165] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.165] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0xb76a3aee40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aee40) returned 0xffffffffffffffff [0069.165] GetLastError () returned 0x2 [0069.165] FindFirstFileExW (in: lpFileName="C:\\Users\\5JgHKoaOfdp\\Desktop\\bcdedit.exe.*", fInfoLevelId=0x1, lpFindFileData=0xb76a3aee40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aee40) returned 0xffffffffffffffff [0069.165] GetLastError () returned 0x2 [0069.165] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.165] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0xb76a3aee40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xb76a3aee40) returned 0xb76a5c7a00 [0069.165] FindClose (in: hFindFile=0xb76a5c7a00 | out: hFindFile=0xb76a5c7a00) returned 1 [0069.165] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0069.165] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0069.166] GetConsoleTitleW (in: lpConsoleTitle=0xb76a3af3a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0069.166] InitializeProcThreadAttributeList (in: lpAttributeList=0xb76a3af2c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xb76a3af1c0 | out: lpAttributeList=0xb76a3af2c0, lpSize=0xb76a3af1c0) returned 1 [0069.166] UpdateProcThreadAttribute (in: lpAttributeList=0xb76a3af2c0, dwFlags=0x0, Attribute=0x60001, lpValue=0xb76a3af1a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xb76a3af2c0, lpPreviousValue=0x0) returned 1 [0069.166] GetStartupInfoW (in: lpStartupInfo=0xb76a3af250 | out: lpStartupInfo=0xb76a3af250*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0069.166] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0069.167] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0069.167] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0069.167] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5JgHKoaOfdp\\Desktop", lpStartupInfo=0xb76a3af1e0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb76a3af1c8 | out: lpCommandLine="bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0xb76a3af1c8*(hProcess=0x48, hThread=0x44, dwProcessId=0x8d8, dwThreadId=0x8a8)) returned 1 [0069.170] CloseHandle (hObject=0x44) returned 1 [0069.170] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0069.170] GetEnvironmentStringsW () returned 0xb76a5c7a00* [0069.170] FreeEnvironmentStringsA (penv="=") returned 1 [0069.170] WaitForSingleObject (hHandle=0x48, dwMilliseconds=0xffffffff) returned 0x0 [0069.204] GetExitCodeProcess (in: hProcess=0x48, lpExitCode=0xb76a3af148 | out: lpExitCode=0xb76a3af148*=0x0) returned 1 [0069.204] CloseHandle (hObject=0x48) returned 1 [0069.204] _vsnwprintf (in: _Buffer=0xb76a3af308, _BufferCount=0x13, _Format="%08X", _ArgList=0xb76a3af158 | out: _Buffer="00000000") returned 8 [0069.204] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0069.204] GetEnvironmentStringsW () returned 0xb76a5c7a00* [0069.204] FreeEnvironmentStringsA (penv="=") returned 1 [0069.204] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0069.204] GetEnvironmentStringsW () returned 0xb76a5c7a00* [0069.204] FreeEnvironmentStringsA (penv="=") returned 1 [0069.204] DeleteProcThreadAttributeList (in: lpAttributeList=0xb76a3af2c0 | out: lpAttributeList=0xb76a3af2c0) [0069.204] _get_osfhandle (_FileHandle=1) returned 0x1c [0069.204] SetConsoleMode (hConsoleHandle=0x1c, dwMode=0x3) returned 1 [0069.205] _get_osfhandle (_FileHandle=1) returned 0x1c [0069.205] GetConsoleMode (in: hConsoleHandle=0x1c, lpMode=0x7ff639ded150 | out: lpMode=0x7ff639ded150) returned 1 [0069.205] _get_osfhandle (_FileHandle=0) returned 0x18 [0069.205] GetConsoleMode (in: hConsoleHandle=0x18, lpMode=0x7ff639ded14c | out: lpMode=0x7ff639ded14c) returned 1 [0069.205] SetConsoleInputExeNameW () returned 0x1 [0069.205] GetConsoleOutputCP () returned 0x1b5 [0069.205] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff639dfa120 | out: lpCPInfo=0x7ff639dfa120) returned 1 [0069.205] SetThreadUILanguage (LangId=0x0) returned 0x409 [0069.206] exit (_Code=0) Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x8332000" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xaf0" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff" cur_dir = "C:\\Windows" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 374 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 375 start_va = 0xcd23640000 end_va = 0xcd2365ffff entry_point = 0x0 region_type = private name = "private_0x000000cd23640000" filename = "" Region: id = 376 start_va = 0xcd23660000 end_va = 0xcd2366efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23660000" filename = "" Region: id = 377 start_va = 0xcd23670000 end_va = 0xcd236affff entry_point = 0x0 region_type = private name = "private_0x000000cd23670000" filename = "" Region: id = 378 start_va = 0x7ff6c7350000 end_va = 0x7ff6c7372fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c7350000" filename = "" Region: id = 379 start_va = 0x7ff6c7375000 end_va = 0x7ff6c7375fff entry_point = 0x0 region_type = private name = "private_0x00007ff6c7375000" filename = "" Region: id = 380 start_va = 0x7ff6c737e000 end_va = 0x7ff6c737ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c737e000" filename = "" Region: id = 381 start_va = 0x7ff6c78b0000 end_va = 0x7ff6c790bfff entry_point = 0x7ff6c78b0000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 382 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 383 start_va = 0xcd237d0000 end_va = 0xcd238cffff entry_point = 0x0 region_type = private name = "private_0x000000cd237d0000" filename = "" Region: id = 384 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 385 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 386 start_va = 0xcd23640000 end_va = 0xcd2364ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23640000" filename = "" Region: id = 387 start_va = 0xcd23650000 end_va = 0xcd23656fff entry_point = 0x0 region_type = private name = "private_0x000000cd23650000" filename = "" Region: id = 388 start_va = 0xcd236b0000 end_va = 0xcd2372dfff entry_point = 0xcd236b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 389 start_va = 0x7ff6c7250000 end_va = 0x7ff6c734ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c7250000" filename = "" Region: id = 390 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 391 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 392 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 393 start_va = 0x7ffb1b590000 end_va = 0x7ffb1b6c8fff entry_point = 0x7ffb1b590000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 394 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 395 start_va = 0x7ffb1d2f0000 end_va = 0x7ffb1d323fff entry_point = 0x7ffb1d2f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 396 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 397 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 398 start_va = 0xcd23730000 end_va = 0xcd23736fff entry_point = 0x0 region_type = private name = "private_0x000000cd23730000" filename = "" Region: id = 399 start_va = 0xcd23740000 end_va = 0xcd23742fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23740000" filename = "" Region: id = 400 start_va = 0xcd23750000 end_va = 0xcd23750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23750000" filename = "" Region: id = 401 start_va = 0xcd23760000 end_va = 0xcd23760fff entry_point = 0x0 region_type = private name = "private_0x000000cd23760000" filename = "" Region: id = 402 start_va = 0xcd23770000 end_va = 0xcd23770fff entry_point = 0x0 region_type = private name = "private_0x000000cd23770000" filename = "" Region: id = 403 start_va = 0xcd23780000 end_va = 0xcd237bffff entry_point = 0x0 region_type = private name = "private_0x000000cd23780000" filename = "" Region: id = 404 start_va = 0xcd238d0000 end_va = 0xcd23a57fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd238d0000" filename = "" Region: id = 405 start_va = 0xcd23bd0000 end_va = 0xcd23bdffff entry_point = 0x0 region_type = private name = "private_0x000000cd23bd0000" filename = "" Region: id = 406 start_va = 0xcd23be0000 end_va = 0xcd23d60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23be0000" filename = "" Region: id = 407 start_va = 0xcd23d70000 end_va = 0xcd2516ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23d70000" filename = "" Region: id = 408 start_va = 0xcd25170000 end_va = 0xcd2556bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd25170000" filename = "" Region: id = 409 start_va = 0x7ff6c737c000 end_va = 0x7ff6c737dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c737c000" filename = "" Region: id = 410 start_va = 0x7ffb197a0000 end_va = 0x7ffb198c0fff entry_point = 0x7ffb197a0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 411 start_va = 0xcd23670000 end_va = 0xcd23673fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23670000" filename = "" Region: id = 412 start_va = 0xcd23680000 end_va = 0xcd23686fff entry_point = 0x0 region_type = private name = "private_0x000000cd23680000" filename = "" Region: id = 413 start_va = 0xcd23690000 end_va = 0xcd23693fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23690000" filename = "" Region: id = 414 start_va = 0xcd23a60000 end_va = 0xcd23a9ffff entry_point = 0x0 region_type = private name = "private_0x000000cd23a60000" filename = "" Region: id = 415 start_va = 0xcd23ae0000 end_va = 0xcd23aeffff entry_point = 0x0 region_type = private name = "private_0x000000cd23ae0000" filename = "" Region: id = 416 start_va = 0xcd25570000 end_va = 0xcd25660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd25570000" filename = "" Region: id = 417 start_va = 0xcd25670000 end_va = 0xcd25944fff entry_point = 0xcd25670000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 418 start_va = 0x7ffb19210000 end_va = 0x7ffb1922ffff entry_point = 0x7ffb19210000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 419 start_va = 0xcd236a0000 end_va = 0xcd236a4fff entry_point = 0xcd236a0000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 420 start_va = 0xcd237c0000 end_va = 0xcd237c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd237c0000" filename = "" Region: id = 421 start_va = 0x7ffb18f20000 end_va = 0x7ffb19179fff entry_point = 0x7ffb18f20000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll") Region: id = 423 start_va = 0xcd23ab0000 end_va = 0xcd23ab1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000cd23ab0000" filename = "" Region: id = 424 start_va = 0x7ffb193e0000 end_va = 0x7ffb1947efff entry_point = 0x7ffb193e0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Thread: id = 15 os_tid = 0xb00 Thread: id = 16 os_tid = 0xb04 Thread: id = 17 os_tid = 0xb08 Process: id = "5" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0xac8a000" os_pid = "0xad8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xaf0" cmd_line = "vssadmin.exe delete shadows /all /quiet " cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 432 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 433 start_va = 0x12970a0000 end_va = 0x12970bffff entry_point = 0x0 region_type = private name = "private_0x00000012970a0000" filename = "" Region: id = 434 start_va = 0x12970c0000 end_va = 0x12970cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000012970c0000" filename = "" Region: id = 435 start_va = 0x12970d0000 end_va = 0x129714ffff entry_point = 0x0 region_type = private name = "private_0x00000012970d0000" filename = "" Region: id = 436 start_va = 0x1297150000 end_va = 0x1297153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297150000" filename = "" Region: id = 437 start_va = 0x1297160000 end_va = 0x1297160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297160000" filename = "" Region: id = 438 start_va = 0x1297170000 end_va = 0x1297171fff entry_point = 0x0 region_type = private name = "private_0x0000001297170000" filename = "" Region: id = 439 start_va = 0x7ff673fa0000 end_va = 0x7ff673fc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff673fa0000" filename = "" Region: id = 440 start_va = 0x7ff673fcd000 end_va = 0x7ff673fcdfff entry_point = 0x0 region_type = private name = "private_0x00007ff673fcd000" filename = "" Region: id = 441 start_va = 0x7ff673fce000 end_va = 0x7ff673fcffff entry_point = 0x0 region_type = private name = "private_0x00007ff673fce000" filename = "" Region: id = 442 start_va = 0x7ff6741b0000 end_va = 0x7ff6741d8fff entry_point = 0x7ff6741b0000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 443 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 444 start_va = 0x1297330000 end_va = 0x129742ffff entry_point = 0x0 region_type = private name = "private_0x0000001297330000" filename = "" Region: id = 445 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 446 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 447 start_va = 0x12970a0000 end_va = 0x12970affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000012970a0000" filename = "" Region: id = 448 start_va = 0x12970b0000 end_va = 0x12970b6fff entry_point = 0x0 region_type = private name = "private_0x00000012970b0000" filename = "" Region: id = 449 start_va = 0x1297180000 end_va = 0x12971fdfff entry_point = 0x1297180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 450 start_va = 0x7ff673ea0000 end_va = 0x7ff673f9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff673ea0000" filename = "" Region: id = 451 start_va = 0x7ffb130f0000 end_va = 0x7ffb13105fff entry_point = 0x7ffb130f0000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 452 start_va = 0x7ffb13110000 end_va = 0x7ffb1328ffff entry_point = 0x7ffb13110000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 453 start_va = 0x7ffb16730000 end_va = 0x7ffb16749fff entry_point = 0x7ffb16730000 region_type = mapped_file name = "bcd.dll" filename = "\\Windows\\System32\\bcd.dll" (normalized: "c:\\windows\\system32\\bcd.dll") Region: id = 454 start_va = 0x7ffb17100000 end_va = 0x7ffb1711afff entry_point = 0x7ffb17100000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 455 start_va = 0x7ffb171a0000 end_va = 0x7ffb171a8fff entry_point = 0x7ffb171a0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 456 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 457 start_va = 0x7ffb1b010000 end_va = 0x7ffb1b067fff entry_point = 0x7ffb1b010000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 458 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 459 start_va = 0x7ffb1b280000 end_va = 0x7ffb1b288fff entry_point = 0x7ffb1b280000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 460 start_va = 0x7ffb1b290000 end_va = 0x7ffb1b407fff entry_point = 0x7ffb1b290000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 461 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 462 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 463 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 464 start_va = 0x7ffb1cef0000 end_va = 0x7ffb1cf94fff entry_point = 0x7ffb1cef0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 465 start_va = 0x7ffb1d230000 end_va = 0x7ffb1d280fff entry_point = 0x7ffb1d230000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 466 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 467 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 470 start_va = 0x1297200000 end_va = 0x1297206fff entry_point = 0x0 region_type = private name = "private_0x0000001297200000" filename = "" Region: id = 471 start_va = 0x1297240000 end_va = 0x129724ffff entry_point = 0x0 region_type = private name = "private_0x0000001297240000" filename = "" Region: id = 472 start_va = 0x1297430000 end_va = 0x12975b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297430000" filename = "" Region: id = 473 start_va = 0x7ffb1b590000 end_va = 0x7ffb1b6c8fff entry_point = 0x7ffb1b590000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 474 start_va = 0x7ffb1d2f0000 end_va = 0x7ffb1d323fff entry_point = 0x7ffb1d2f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 475 start_va = 0x1297210000 end_va = 0x1297212fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297210000" filename = "" Region: id = 476 start_va = 0x1297220000 end_va = 0x1297220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297220000" filename = "" Region: id = 477 start_va = 0x1297230000 end_va = 0x129723cfff entry_point = 0x1297230000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 478 start_va = 0x1297250000 end_va = 0x1297250fff entry_point = 0x0 region_type = private name = "private_0x0000001297250000" filename = "" Region: id = 479 start_va = 0x1297260000 end_va = 0x1297260fff entry_point = 0x0 region_type = private name = "private_0x0000001297260000" filename = "" Region: id = 480 start_va = 0x12975c0000 end_va = 0x1297740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000012975c0000" filename = "" Region: id = 481 start_va = 0x1297750000 end_va = 0x1298b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297750000" filename = "" Region: id = 482 start_va = 0x7ffb19920000 end_va = 0x7ffb19929fff entry_point = 0x7ffb19920000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 483 start_va = 0x7ffb1a860000 end_va = 0x7ffb1a8bffff entry_point = 0x7ffb1a860000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 484 start_va = 0x7ffb1a9c0000 end_va = 0x7ffb1a9c9fff entry_point = 0x7ffb1a9c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 485 start_va = 0x1297270000 end_va = 0x1297270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297270000" filename = "" Region: id = 486 start_va = 0x7ffb1cfa0000 end_va = 0x7ffb1d043fff entry_point = 0x7ffb1cfa0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 487 start_va = 0x1297280000 end_va = 0x1297280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001297280000" filename = "" Region: id = 488 start_va = 0x7ffb1a310000 end_va = 0x7ffb1a32dfff entry_point = 0x7ffb1a310000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 489 start_va = 0x7ffb19f50000 end_va = 0x7ffb19f84fff entry_point = 0x7ffb19f50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 490 start_va = 0x7ffb1a540000 end_va = 0x7ffb1a565fff entry_point = 0x7ffb1a540000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 495 start_va = 0x1297290000 end_va = 0x129730ffff entry_point = 0x0 region_type = private name = "private_0x0000001297290000" filename = "" Region: id = 496 start_va = 0x1298b50000 end_va = 0x1298e24fff entry_point = 0x1298b50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 497 start_va = 0x1298e30000 end_va = 0x1298eaffff entry_point = 0x0 region_type = private name = "private_0x0000001298e30000" filename = "" Region: id = 498 start_va = 0x1298eb0000 end_va = 0x1298f2ffff entry_point = 0x0 region_type = private name = "private_0x0000001298eb0000" filename = "" Region: id = 499 start_va = 0x7ff673fc7000 end_va = 0x7ff673fc8fff entry_point = 0x0 region_type = private name = "private_0x00007ff673fc7000" filename = "" Region: id = 500 start_va = 0x7ff673fc9000 end_va = 0x7ff673fcafff entry_point = 0x0 region_type = private name = "private_0x00007ff673fc9000" filename = "" Region: id = 501 start_va = 0x7ff673fcb000 end_va = 0x7ff673fccfff entry_point = 0x0 region_type = private name = "private_0x00007ff673fcb000" filename = "" Region: id = 502 start_va = 0x7ffb14230000 end_va = 0x7ffb14244fff entry_point = 0x7ffb14230000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Thread: id = 18 os_tid = 0xb18 Thread: id = 19 os_tid = 0xbe0 Thread: id = 20 os_tid = 0xbe4 Thread: id = 21 os_tid = 0xbe8 Process: id = "6" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x68b6000" os_pid = "0xbec" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0xad8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0004d385" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 503 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 504 start_va = 0x634f6a0000 end_va = 0x634f6affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f6a0000" filename = "" Region: id = 505 start_va = 0x634f6b0000 end_va = 0x634f6b6fff entry_point = 0x0 region_type = private name = "private_0x000000634f6b0000" filename = "" Region: id = 506 start_va = 0x634f6c0000 end_va = 0x634f6cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f6c0000" filename = "" Region: id = 507 start_va = 0x634f6d0000 end_va = 0x634f74ffff entry_point = 0x0 region_type = private name = "private_0x000000634f6d0000" filename = "" Region: id = 508 start_va = 0x634f750000 end_va = 0x634f753fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f750000" filename = "" Region: id = 509 start_va = 0x634f760000 end_va = 0x634f760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f760000" filename = "" Region: id = 510 start_va = 0x634f770000 end_va = 0x634f771fff entry_point = 0x0 region_type = private name = "private_0x000000634f770000" filename = "" Region: id = 511 start_va = 0x634f780000 end_va = 0x634f7fdfff entry_point = 0x634f780000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 512 start_va = 0x634f800000 end_va = 0x634f806fff entry_point = 0x0 region_type = private name = "private_0x000000634f800000" filename = "" Region: id = 513 start_va = 0x634f810000 end_va = 0x634f812fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f810000" filename = "" Region: id = 514 start_va = 0x634f820000 end_va = 0x634f820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f820000" filename = "" Region: id = 515 start_va = 0x634f830000 end_va = 0x634f830fff entry_point = 0x0 region_type = private name = "private_0x000000634f830000" filename = "" Region: id = 516 start_va = 0x634f840000 end_va = 0x634f93ffff entry_point = 0x0 region_type = private name = "private_0x000000634f840000" filename = "" Region: id = 517 start_va = 0x634f940000 end_va = 0x634f950fff entry_point = 0x634f940000 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 518 start_va = 0x634f960000 end_va = 0x634f960fff entry_point = 0x0 region_type = private name = "private_0x000000634f960000" filename = "" Region: id = 519 start_va = 0x634f970000 end_va = 0x634f970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f970000" filename = "" Region: id = 520 start_va = 0x634f980000 end_va = 0x634f980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634f980000" filename = "" Region: id = 521 start_va = 0x634f990000 end_va = 0x634f99ffff entry_point = 0x0 region_type = private name = "private_0x000000634f990000" filename = "" Region: id = 522 start_va = 0x634f9a0000 end_va = 0x634fa1ffff entry_point = 0x0 region_type = private name = "private_0x000000634f9a0000" filename = "" Region: id = 523 start_va = 0x634fa20000 end_va = 0x634fa9ffff entry_point = 0x0 region_type = private name = "private_0x000000634fa20000" filename = "" Region: id = 524 start_va = 0x634faa0000 end_va = 0x634fc27fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634faa0000" filename = "" Region: id = 525 start_va = 0x634fc30000 end_va = 0x634fdb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634fc30000" filename = "" Region: id = 526 start_va = 0x634fdc0000 end_va = 0x634fe7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000634fdc0000" filename = "" Region: id = 527 start_va = 0x634fe80000 end_va = 0x6350154fff entry_point = 0x634fe80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 528 start_va = 0x6350160000 end_va = 0x63501dffff entry_point = 0x0 region_type = private name = "private_0x0000006350160000" filename = "" Region: id = 529 start_va = 0x63501e0000 end_va = 0x635025ffff entry_point = 0x0 region_type = private name = "private_0x00000063501e0000" filename = "" Region: id = 530 start_va = 0x63502e0000 end_va = 0x63506dbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000063502e0000" filename = "" Region: id = 531 start_va = 0x63506e0000 end_va = 0x63507dffff entry_point = 0x0 region_type = private name = "private_0x00000063506e0000" filename = "" Region: id = 532 start_va = 0x63507e0000 end_va = 0x63508dffff entry_point = 0x0 region_type = private name = "private_0x00000063507e0000" filename = "" Region: id = 533 start_va = 0x7ff6335a0000 end_va = 0x7ff63369ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6335a0000" filename = "" Region: id = 534 start_va = 0x7ff6336a0000 end_va = 0x7ff6336c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6336a0000" filename = "" Region: id = 535 start_va = 0x7ff6336c4000 end_va = 0x7ff6336c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6336c4000" filename = "" Region: id = 536 start_va = 0x7ff6336c6000 end_va = 0x7ff6336c7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6336c6000" filename = "" Region: id = 537 start_va = 0x7ff6336c8000 end_va = 0x7ff6336c9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6336c8000" filename = "" Region: id = 538 start_va = 0x7ff6336ca000 end_va = 0x7ff6336cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6336ca000" filename = "" Region: id = 539 start_va = 0x7ff6336cc000 end_va = 0x7ff6336cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6336cc000" filename = "" Region: id = 540 start_va = 0x7ff6336ce000 end_va = 0x7ff6336cefff entry_point = 0x0 region_type = private name = "private_0x00007ff6336ce000" filename = "" Region: id = 541 start_va = 0x7ff6346c0000 end_va = 0x7ff634822fff entry_point = 0x7ff6346c0000 region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 542 start_va = 0x7ffb0ce10000 end_va = 0x7ffb0ce86fff entry_point = 0x7ffb0ce10000 region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 543 start_va = 0x7ffb0fac0000 end_va = 0x7ffb0fb2afff entry_point = 0x7ffb0fac0000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 544 start_va = 0x7ffb0fc30000 end_va = 0x7ffb0fc78fff entry_point = 0x7ffb0fc30000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 545 start_va = 0x7ffb130f0000 end_va = 0x7ffb13105fff entry_point = 0x7ffb130f0000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 546 start_va = 0x7ffb13110000 end_va = 0x7ffb1328ffff entry_point = 0x7ffb13110000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 547 start_va = 0x7ffb14230000 end_va = 0x7ffb14244fff entry_point = 0x7ffb14230000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 548 start_va = 0x7ffb14250000 end_va = 0x7ffb1425cfff entry_point = 0x7ffb14250000 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Region: id = 549 start_va = 0x7ffb14270000 end_va = 0x7ffb14279fff entry_point = 0x7ffb14270000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 550 start_va = 0x7ffb14280000 end_va = 0x7ffb1428dfff entry_point = 0x7ffb14280000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 551 start_va = 0x7ffb16730000 end_va = 0x7ffb16749fff entry_point = 0x7ffb16730000 region_type = mapped_file name = "bcd.dll" filename = "\\Windows\\System32\\bcd.dll" (normalized: "c:\\windows\\system32\\bcd.dll") Region: id = 552 start_va = 0x7ffb16b10000 end_va = 0x7ffb16b26fff entry_point = 0x7ffb16b10000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 553 start_va = 0x7ffb16ba0000 end_va = 0x7ffb16bbdfff entry_point = 0x7ffb16ba0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 554 start_va = 0x7ffb17060000 end_va = 0x7ffb170d7fff entry_point = 0x7ffb17060000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 555 start_va = 0x7ffb171a0000 end_va = 0x7ffb171a8fff entry_point = 0x7ffb171a0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 556 start_va = 0x7ffb17d30000 end_va = 0x7ffb17e94fff entry_point = 0x7ffb17d30000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 557 start_va = 0x7ffb19920000 end_va = 0x7ffb19929fff entry_point = 0x7ffb19920000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 558 start_va = 0x7ffb19d00000 end_va = 0x7ffb19d0bfff entry_point = 0x7ffb19d00000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 559 start_va = 0x7ffb19d10000 end_va = 0x7ffb19d57fff entry_point = 0x7ffb19d10000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 560 start_va = 0x7ffb19f50000 end_va = 0x7ffb19f84fff entry_point = 0x7ffb19f50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 561 start_va = 0x7ffb1a310000 end_va = 0x7ffb1a32dfff entry_point = 0x7ffb1a310000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 562 start_va = 0x7ffb1a420000 end_va = 0x7ffb1a437fff entry_point = 0x7ffb1a420000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 563 start_va = 0x7ffb1a540000 end_va = 0x7ffb1a565fff entry_point = 0x7ffb1a540000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 564 start_va = 0x7ffb1a860000 end_va = 0x7ffb1a8bffff entry_point = 0x7ffb1a860000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 565 start_va = 0x7ffb1a9c0000 end_va = 0x7ffb1a9c9fff entry_point = 0x7ffb1a9c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 566 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 567 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 568 start_va = 0x7ffb1b010000 end_va = 0x7ffb1b067fff entry_point = 0x7ffb1b010000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 569 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 570 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 571 start_va = 0x7ffb1b280000 end_va = 0x7ffb1b288fff entry_point = 0x7ffb1b280000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 572 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 573 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 574 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 575 start_va = 0x7ffb1cef0000 end_va = 0x7ffb1cf94fff entry_point = 0x7ffb1cef0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 576 start_va = 0x7ffb1cfa0000 end_va = 0x7ffb1d043fff entry_point = 0x7ffb1cfa0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 577 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 578 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 579 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 22 os_tid = 0x6b8 Thread: id = 23 os_tid = 0x728 Thread: id = 24 os_tid = 0x8f8 Thread: id = 25 os_tid = 0x8fc Thread: id = 26 os_tid = 0x978 Thread: id = 27 os_tid = 0xbf0 Thread: id = 28 os_tid = 0x814 Thread: id = 29 os_tid = 0x80c Thread: id = 36 os_tid = 0x4c4 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3c4fc000" os_pid = "0x64c" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0xbec" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0004d7ab" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 592 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 593 start_va = 0x33539a0000 end_va = 0x33539affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000033539a0000" filename = "" Region: id = 594 start_va = 0x33539b0000 end_va = 0x33539b6fff entry_point = 0x0 region_type = private name = "private_0x00000033539b0000" filename = "" Region: id = 595 start_va = 0x33539c0000 end_va = 0x33539cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000033539c0000" filename = "" Region: id = 596 start_va = 0x33539d0000 end_va = 0x3353a4ffff entry_point = 0x0 region_type = private name = "private_0x00000033539d0000" filename = "" Region: id = 597 start_va = 0x3353a50000 end_va = 0x3353a53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003353a50000" filename = "" Region: id = 598 start_va = 0x3353a60000 end_va = 0x3353a60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003353a60000" filename = "" Region: id = 599 start_va = 0x3353a70000 end_va = 0x3353a71fff entry_point = 0x0 region_type = private name = "private_0x0000003353a70000" filename = "" Region: id = 600 start_va = 0x3353a80000 end_va = 0x3353a86fff entry_point = 0x0 region_type = private name = "private_0x0000003353a80000" filename = "" Region: id = 601 start_va = 0x3353a90000 end_va = 0x3353a92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003353a90000" filename = "" Region: id = 602 start_va = 0x3353aa0000 end_va = 0x3353aa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003353aa0000" filename = "" Region: id = 603 start_va = 0x3353ab0000 end_va = 0x3353ab0fff entry_point = 0x0 region_type = private name = "private_0x0000003353ab0000" filename = "" Region: id = 604 start_va = 0x3353ac0000 end_va = 0x3353ac0fff entry_point = 0x0 region_type = private name = "private_0x0000003353ac0000" filename = "" Region: id = 605 start_va = 0x3353ad0000 end_va = 0x3353ad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003353ad0000" filename = "" Region: id = 606 start_va = 0x3353ae0000 end_va = 0x3353bdffff entry_point = 0x0 region_type = private name = "private_0x0000003353ae0000" filename = "" Region: id = 607 start_va = 0x3353be0000 end_va = 0x3353c5dfff entry_point = 0x3353be0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 608 start_va = 0x3353c60000 end_va = 0x3353cdffff entry_point = 0x0 region_type = private name = "private_0x0000003353c60000" filename = "" Region: id = 609 start_va = 0x3353ce0000 end_va = 0x3353d5ffff entry_point = 0x0 region_type = private name = "private_0x0000003353ce0000" filename = "" Region: id = 610 start_va = 0x3353d60000 end_va = 0x3354034fff entry_point = 0x3353d60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 611 start_va = 0x3354040000 end_va = 0x33540bffff entry_point = 0x0 region_type = private name = "private_0x0000003354040000" filename = "" Region: id = 612 start_va = 0x33540c0000 end_va = 0x33540cffff entry_point = 0x0 region_type = private name = "private_0x00000033540c0000" filename = "" Region: id = 613 start_va = 0x33540d0000 end_va = 0x3354257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000033540d0000" filename = "" Region: id = 614 start_va = 0x3354260000 end_va = 0x33543e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003354260000" filename = "" Region: id = 615 start_va = 0x33543f0000 end_va = 0x33544affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000033543f0000" filename = "" Region: id = 616 start_va = 0x33544b0000 end_va = 0x33548abfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000033544b0000" filename = "" Region: id = 617 start_va = 0x33548b0000 end_va = 0x335492ffff entry_point = 0x0 region_type = private name = "private_0x00000033548b0000" filename = "" Region: id = 618 start_va = 0x7ff6dbbf0000 end_va = 0x7ff6dbceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6dbbf0000" filename = "" Region: id = 619 start_va = 0x7ff6dbcf0000 end_va = 0x7ff6dbd12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6dbcf0000" filename = "" Region: id = 620 start_va = 0x7ff6dbd14000 end_va = 0x7ff6dbd15fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbd14000" filename = "" Region: id = 621 start_va = 0x7ff6dbd16000 end_va = 0x7ff6dbd16fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbd16000" filename = "" Region: id = 622 start_va = 0x7ff6dbd18000 end_va = 0x7ff6dbd19fff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbd18000" filename = "" Region: id = 623 start_va = 0x7ff6dbd1a000 end_va = 0x7ff6dbd1bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbd1a000" filename = "" Region: id = 624 start_va = 0x7ff6dbd1c000 end_va = 0x7ff6dbd1dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbd1c000" filename = "" Region: id = 625 start_va = 0x7ff6dbd1e000 end_va = 0x7ff6dbd1ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbd1e000" filename = "" Region: id = 626 start_va = 0x7ff6dbe30000 end_va = 0x7ff6dbe3bfff entry_point = 0x7ff6dbe30000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 627 start_va = 0x7ffb0b280000 end_va = 0x7ffb0b331fff entry_point = 0x7ffb0b280000 region_type = mapped_file name = "swprv.dll" filename = "\\Windows\\System32\\swprv.dll" (normalized: "c:\\windows\\system32\\swprv.dll") Region: id = 628 start_va = 0x7ffb0fac0000 end_va = 0x7ffb0fb2afff entry_point = 0x7ffb0fac0000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 629 start_va = 0x7ffb130f0000 end_va = 0x7ffb13105fff entry_point = 0x7ffb130f0000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 630 start_va = 0x7ffb14230000 end_va = 0x7ffb14244fff entry_point = 0x7ffb14230000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 631 start_va = 0x7ffb14270000 end_va = 0x7ffb14279fff entry_point = 0x7ffb14270000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 632 start_va = 0x7ffb14280000 end_va = 0x7ffb1428dfff entry_point = 0x7ffb14280000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 633 start_va = 0x7ffb19920000 end_va = 0x7ffb19929fff entry_point = 0x7ffb19920000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 634 start_va = 0x7ffb19f50000 end_va = 0x7ffb19f84fff entry_point = 0x7ffb19f50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 635 start_va = 0x7ffb1a310000 end_va = 0x7ffb1a32dfff entry_point = 0x7ffb1a310000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 636 start_va = 0x7ffb1a420000 end_va = 0x7ffb1a437fff entry_point = 0x7ffb1a420000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 637 start_va = 0x7ffb1a540000 end_va = 0x7ffb1a565fff entry_point = 0x7ffb1a540000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 638 start_va = 0x7ffb1a860000 end_va = 0x7ffb1a8bffff entry_point = 0x7ffb1a860000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 639 start_va = 0x7ffb1a9c0000 end_va = 0x7ffb1a9c9fff entry_point = 0x7ffb1a9c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 640 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 641 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 642 start_va = 0x7ffb1b070000 end_va = 0x7ffb1b126fff entry_point = 0x7ffb1b070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 643 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 644 start_va = 0x7ffb1b410000 end_va = 0x7ffb1b580fff entry_point = 0x7ffb1b410000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 645 start_va = 0x7ffb1b870000 end_va = 0x7ffb1ba45fff entry_point = 0x7ffb1b870000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 646 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 647 start_va = 0x7ffb1cfa0000 end_va = 0x7ffb1d043fff entry_point = 0x7ffb1cfa0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 648 start_va = 0x7ffb1d450000 end_va = 0x7ffb1d594fff entry_point = 0x7ffb1d450000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 649 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 650 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 651 start_va = 0x3354930000 end_va = 0x33549affff entry_point = 0x0 region_type = private name = "private_0x0000003354930000" filename = "" Region: id = 652 start_va = 0x7ff6dbbee000 end_va = 0x7ff6dbbeffff entry_point = 0x0 region_type = private name = "private_0x00007ff6dbbee000" filename = "" Region: id = 653 start_va = 0x7ffb13110000 end_va = 0x7ffb1328ffff entry_point = 0x7ffb13110000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 654 start_va = 0x7ffb16730000 end_va = 0x7ffb16749fff entry_point = 0x7ffb16730000 region_type = mapped_file name = "bcd.dll" filename = "\\Windows\\System32\\bcd.dll" (normalized: "c:\\windows\\system32\\bcd.dll") Region: id = 655 start_va = 0x7ffb171a0000 end_va = 0x7ffb171a8fff entry_point = 0x7ffb171a0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 656 start_va = 0x7ffb1b010000 end_va = 0x7ffb1b067fff entry_point = 0x7ffb1b010000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 657 start_va = 0x7ffb1b280000 end_va = 0x7ffb1b288fff entry_point = 0x7ffb1b280000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Thread: id = 30 os_tid = 0xbf4 Thread: id = 31 os_tid = 0x4d8 Thread: id = 32 os_tid = 0x98c Thread: id = 33 os_tid = 0x808 Thread: id = 34 os_tid = 0x550 Thread: id = 35 os_tid = 0x804 Process: id = "8" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x21850000" os_pid = "0x8dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xaf0" cmd_line = "bcdedit.exe /set {default} recoveryenabled no " cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 684 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 685 start_va = 0xe73a6a0000 end_va = 0xe73a6bffff entry_point = 0x0 region_type = private name = "private_0x000000e73a6a0000" filename = "" Region: id = 686 start_va = 0xe73a6c0000 end_va = 0xe73a6cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e73a6c0000" filename = "" Region: id = 687 start_va = 0xe73a6d0000 end_va = 0xe73a74ffff entry_point = 0x0 region_type = private name = "private_0x000000e73a6d0000" filename = "" Region: id = 688 start_va = 0xe73a750000 end_va = 0xe73a753fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e73a750000" filename = "" Region: id = 689 start_va = 0xe73a760000 end_va = 0xe73a760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e73a760000" filename = "" Region: id = 690 start_va = 0xe73a770000 end_va = 0xe73a771fff entry_point = 0x0 region_type = private name = "private_0x000000e73a770000" filename = "" Region: id = 691 start_va = 0x7ff61c750000 end_va = 0x7ff61c772fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff61c750000" filename = "" Region: id = 692 start_va = 0x7ff61c77d000 end_va = 0x7ff61c77efff entry_point = 0x0 region_type = private name = "private_0x00007ff61c77d000" filename = "" Region: id = 693 start_va = 0x7ff61c77f000 end_va = 0x7ff61c77ffff entry_point = 0x0 region_type = private name = "private_0x00007ff61c77f000" filename = "" Region: id = 694 start_va = 0x7ff61ca60000 end_va = 0x7ff61cab7fff entry_point = 0x7ff61ca60000 region_type = mapped_file name = "bcdedit.exe" filename = "\\Windows\\System32\\bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe") Region: id = 695 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 697 start_va = 0xe73a6a0000 end_va = 0xe73a6affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e73a6a0000" filename = "" Region: id = 698 start_va = 0xe73a780000 end_va = 0xe73a7fdfff entry_point = 0xe73a780000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 699 start_va = 0xe73a960000 end_va = 0xe73aa5ffff entry_point = 0x0 region_type = private name = "private_0x000000e73a960000" filename = "" Region: id = 700 start_va = 0x7ff61c650000 end_va = 0x7ff61c74ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff61c650000" filename = "" Region: id = 701 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 702 start_va = 0x7ffb1af60000 end_va = 0x7ffb1b006fff entry_point = 0x7ffb1af60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 703 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 704 start_va = 0x7ffb1ba50000 end_va = 0x7ffb1baa6fff entry_point = 0x7ffb1ba50000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 705 start_va = 0x7ffb1cef0000 end_va = 0x7ffb1cf94fff entry_point = 0x7ffb1cef0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 706 start_va = 0x7ffb1d5a0000 end_va = 0x7ffb1d6d5fff entry_point = 0x7ffb1d5a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 37 os_tid = 0x940 Process: id = "9" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x1f9d5000" os_pid = "0x8d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xaf0" cmd_line = "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5JgHKoaOfdp\\Desktop\\" os_username = "FIVAUF\\5JgHKoaOfdp" os_groups = "FIVAUF\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000bed0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 710 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 711 start_va = 0x4aeb070000 end_va = 0x4aeb08ffff entry_point = 0x0 region_type = private name = "private_0x0000004aeb070000" filename = "" Region: id = 712 start_va = 0x4aeb090000 end_va = 0x4aeb09efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004aeb090000" filename = "" Region: id = 713 start_va = 0x4aeb0a0000 end_va = 0x4aeb11ffff entry_point = 0x0 region_type = private name = "private_0x0000004aeb0a0000" filename = "" Region: id = 714 start_va = 0x4aeb120000 end_va = 0x4aeb123fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004aeb120000" filename = "" Region: id = 715 start_va = 0x4aeb130000 end_va = 0x4aeb130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004aeb130000" filename = "" Region: id = 716 start_va = 0x4aeb140000 end_va = 0x4aeb141fff entry_point = 0x0 region_type = private name = "private_0x0000004aeb140000" filename = "" Region: id = 717 start_va = 0x7ff61bb40000 end_va = 0x7ff61bb62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff61bb40000" filename = "" Region: id = 718 start_va = 0x7ff61bb66000 end_va = 0x7ff61bb66fff entry_point = 0x0 region_type = private name = "private_0x00007ff61bb66000" filename = "" Region: id = 719 start_va = 0x7ff61bb6e000 end_va = 0x7ff61bb6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff61bb6e000" filename = "" Region: id = 720 start_va = 0x7ff61ca60000 end_va = 0x7ff61cab7fff entry_point = 0x7ff61ca60000 region_type = mapped_file name = "bcdedit.exe" filename = "\\Windows\\System32\\bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe") Region: id = 721 start_va = 0x7ffb1d6e0000 end_va = 0x7ffb1d889fff entry_point = 0x7ffb1d6e0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 722 start_va = 0x4aeb1c0000 end_va = 0x4aeb2bffff entry_point = 0x0 region_type = private name = "private_0x0000004aeb1c0000" filename = "" Region: id = 723 start_va = 0x7ffb1ada0000 end_va = 0x7ffb1aeaffff entry_point = 0x7ffb1ada0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 724 start_va = 0x7ffb1b140000 end_va = 0x7ffb1b279fff entry_point = 0x7ffb1b140000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Thread: id = 38 os_tid = 0x8a8 Process: id = "10" image_name = "System" filename = "" page_root = "0x1a7000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 800 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 801 start_va = 0x4b8df30000 end_va = 0x4b8df52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004b8df30000" filename = "" Thread: id = 39 os_tid = 0x8 Thread: id = 40 os_tid = 0x18 Thread: id = 41 os_tid = 0x14 Thread: id = 42 os_tid = 0x1c Thread: id = 43 os_tid = 0x4c Thread: id = 44 os_tid = 0x24 Thread: id = 45 os_tid = 0x28 Thread: id = 46 os_tid = 0x2c Thread: id = 47 os_tid = 0x30 Thread: id = 48 os_tid = 0x48 Thread: id = 49 os_tid = 0x90 Thread: id = 50 os_tid = 0x94 Thread: id = 51 os_tid = 0x98 Thread: id = 52 os_tid = 0xa0 Thread: id = 53 os_tid = 0x9c Thread: id = 54 os_tid = 0x78 Thread: id = 55 os_tid = 0x38 Thread: id = 56 os_tid = 0xcc Thread: id = 57 os_tid = 0xd8 Thread: id = 58 os_tid = 0xa4 Thread: id = 59 os_tid = 0xe4 Thread: id = 62 os_tid = 0xa8 Thread: id = 64 os_tid = 0x100 Thread: id = 65 os_tid = 0x104 Thread: id = 66 os_tid = 0x10c Thread: id = 67 os_tid = 0x114 Thread: id = 68 os_tid = 0x110 Thread: id = 69 os_tid = 0x108 Thread: id = 70 os_tid = 0xac Thread: id = 71 os_tid = 0x34 Thread: id = 74 os_tid = 0x138 Thread: id = 75 os_tid = 0x13c Thread: id = 76 os_tid = 0x140 Thread: id = 77 os_tid = 0x144 Thread: id = 78 os_tid = 0x148 Thread: id = 79 os_tid = 0x7c Thread: id = 80 os_tid = 0x14c Thread: id = 81 os_tid = 0x150 Thread: id = 82 os_tid = 0x154 Thread: id = 95 os_tid = 0x20 Thread: id = 97 os_tid = 0x3c Thread: id = 100 os_tid = 0x1a4 Thread: id = 109 os_tid = 0x10 Thread: id = 119 os_tid = 0x124 Thread: id = 120 os_tid = 0x68 Thread: id = 147 os_tid = 0x6c Thread: id = 155 os_tid = 0x58 Thread: id = 156 os_tid = 0x280 Thread: id = 163 os_tid = 0x2a4 Thread: id = 189 os_tid = 0x64 Thread: id = 195 os_tid = 0xc8 Thread: id = 261 os_tid = 0x140 Thread: id = 262 os_tid = 0x144 Thread: id = 279 os_tid = 0x278 Thread: id = 286 os_tid = 0x3b0 Thread: id = 297 os_tid = 0x320 Thread: id = 301 os_tid = 0x414 Thread: id = 305 os_tid = 0x424 Process: id = "11" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x7cc6a000" os_pid = "0xe8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 834 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 835 start_va = 0x6b34640000 end_va = 0x6b3465ffff entry_point = 0x0 region_type = private name = "private_0x0000006b34640000" filename = "" Region: id = 836 start_va = 0x6b34660000 end_va = 0x6b3466efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006b34660000" filename = "" Region: id = 837 start_va = 0x6b34670000 end_va = 0x6b346effff entry_point = 0x0 region_type = private name = "private_0x0000006b34670000" filename = "" Region: id = 838 start_va = 0x7ff64e7a0000 end_va = 0x7ff64e7c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff64e7a0000" filename = "" Region: id = 839 start_va = 0x7ff64e7c4000 end_va = 0x7ff64e7c4fff entry_point = 0x0 region_type = private name = "private_0x00007ff64e7c4000" filename = "" Region: id = 840 start_va = 0x7ff64e7ce000 end_va = 0x7ff64e7cffff entry_point = 0x0 region_type = private name = "private_0x00007ff64e7ce000" filename = "" Region: id = 841 start_va = 0x7ff64f320000 end_va = 0x7ff64f344fff entry_point = 0x7ff64f320000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 842 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 60 os_tid = 0xec Thread: id = 61 os_tid = 0xf4 Thread: id = 111 os_tid = 0x1cc Process: id = "12" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x52c25000" os_pid = "0xf8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xe8" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 855 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 856 start_va = 0x753cbe0000 end_va = 0x753cbfffff entry_point = 0x0 region_type = private name = "private_0x000000753cbe0000" filename = "" Region: id = 857 start_va = 0x753cc00000 end_va = 0x753cc0efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000753cc00000" filename = "" Region: id = 858 start_va = 0x753cc10000 end_va = 0x753cc8ffff entry_point = 0x0 region_type = private name = "private_0x000000753cc10000" filename = "" Region: id = 859 start_va = 0x7ff7862c0000 end_va = 0x7ff7862e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7862c0000" filename = "" Region: id = 860 start_va = 0x7ff7862e3000 end_va = 0x7ff7862e3fff entry_point = 0x0 region_type = private name = "private_0x00007ff7862e3000" filename = "" Region: id = 861 start_va = 0x7ff7862ee000 end_va = 0x7ff7862effff entry_point = 0x0 region_type = private name = "private_0x00007ff7862ee000" filename = "" Region: id = 862 start_va = 0x7ff7869c0000 end_va = 0x7ff786a9dfff entry_point = 0x7ff7869c0000 region_type = mapped_file name = "autochk.exe" filename = "\\Windows\\System32\\autochk.exe" (normalized: "c:\\windows\\system32\\autochk.exe") Region: id = 863 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 864 start_va = 0x753cd00000 end_va = 0x753cdfffff entry_point = 0x0 region_type = private name = "private_0x000000753cd00000" filename = "" Thread: id = 63 os_tid = 0xfc Process: id = "13" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x527d5000" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xe8" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 00000050 " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 881 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 882 start_va = 0x3e10970000 end_va = 0x3e1098ffff entry_point = 0x0 region_type = private name = "private_0x0000003e10970000" filename = "" Region: id = 883 start_va = 0x3e10990000 end_va = 0x3e1099efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e10990000" filename = "" Region: id = 884 start_va = 0x3e109a0000 end_va = 0x3e10a1ffff entry_point = 0x0 region_type = private name = "private_0x0000003e109a0000" filename = "" Region: id = 885 start_va = 0x7ff64e9b0000 end_va = 0x7ff64e9d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff64e9b0000" filename = "" Region: id = 886 start_va = 0x7ff64e9db000 end_va = 0x7ff64e9dbfff entry_point = 0x0 region_type = private name = "private_0x00007ff64e9db000" filename = "" Region: id = 887 start_va = 0x7ff64e9de000 end_va = 0x7ff64e9dffff entry_point = 0x0 region_type = private name = "private_0x00007ff64e9de000" filename = "" Region: id = 888 start_va = 0x7ff64f320000 end_va = 0x7ff64f344fff entry_point = 0x7ff64f320000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 889 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 72 os_tid = 0x12c Process: id = "14" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x3a0a7000" os_pid = "0x130" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x128" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 891 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 892 start_va = 0xdc92bc0000 end_va = 0xdc92bdffff entry_point = 0x0 region_type = private name = "private_0x000000dc92bc0000" filename = "" Region: id = 893 start_va = 0xdc92be0000 end_va = 0xdc92beefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc92be0000" filename = "" Region: id = 894 start_va = 0xdc92bf0000 end_va = 0xdc92c2ffff entry_point = 0x0 region_type = private name = "private_0x000000dc92bf0000" filename = "" Region: id = 895 start_va = 0x7ff6accb0000 end_va = 0x7ff6accd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6accb0000" filename = "" Region: id = 896 start_va = 0x7ff6accdd000 end_va = 0x7ff6accddfff entry_point = 0x0 region_type = private name = "private_0x00007ff6accdd000" filename = "" Region: id = 897 start_va = 0x7ff6accde000 end_va = 0x7ff6accdffff entry_point = 0x0 region_type = private name = "private_0x00007ff6accde000" filename = "" Region: id = 898 start_va = 0x7ff6ad990000 end_va = 0x7ff6ad996fff entry_point = 0x7ff6ad990000 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 899 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 900 start_va = 0xdc92c40000 end_va = 0xdc92d3ffff entry_point = 0x0 region_type = private name = "private_0x000000dc92c40000" filename = "" Region: id = 901 start_va = 0x7ff9fc900000 end_va = 0x7ff9fc915fff entry_point = 0x7ff9fc900000 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 902 start_va = 0x7ff6acbb0000 end_va = 0x7ff6accaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6acbb0000" filename = "" Region: id = 903 start_va = 0x7ff9fc8e0000 end_va = 0x7ff9fc8f2fff entry_point = 0x7ff9fc8e0000 region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 904 start_va = 0x7ff9fc8a0000 end_va = 0x7ff9fc8d1fff entry_point = 0x7ff9fc8a0000 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 905 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 906 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 907 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 908 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 912 start_va = 0xdc92bc0000 end_va = 0xdc92bc6fff entry_point = 0x0 region_type = private name = "private_0x000000dc92bc0000" filename = "" Region: id = 913 start_va = 0xdc92bd0000 end_va = 0xdc92bd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc92bd0000" filename = "" Region: id = 914 start_va = 0xdc92c30000 end_va = 0xdc92c30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc92c30000" filename = "" Region: id = 915 start_va = 0xdc92d40000 end_va = 0xdc92dbdfff entry_point = 0xdc92d40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 916 start_va = 0xdc92dc0000 end_va = 0xdc92f40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc92dc0000" filename = "" Region: id = 917 start_va = 0xdc92f50000 end_va = 0xdc9334bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc92f50000" filename = "" Region: id = 918 start_va = 0xdc93350000 end_va = 0xdc93350fff entry_point = 0x0 region_type = private name = "private_0x000000dc93350000" filename = "" Region: id = 919 start_va = 0xdc93360000 end_va = 0xdc93361fff entry_point = 0xdc93360000 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 920 start_va = 0xdc93370000 end_va = 0xdc933affff entry_point = 0x0 region_type = private name = "private_0x000000dc93370000" filename = "" Region: id = 921 start_va = 0xdc933b0000 end_va = 0xdc933effff entry_point = 0x0 region_type = private name = "private_0x000000dc933b0000" filename = "" Region: id = 922 start_va = 0x7ff6accd9000 end_va = 0x7ff6accdafff entry_point = 0x0 region_type = private name = "private_0x00007ff6accd9000" filename = "" Region: id = 923 start_va = 0x7ff6accdb000 end_va = 0x7ff6accdcfff entry_point = 0x0 region_type = private name = "private_0x00007ff6accdb000" filename = "" Region: id = 924 start_va = 0x7ff9fc890000 end_va = 0x7ff9fc89cfff entry_point = 0x7ff9fc890000 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 1137 start_va = 0xdc92bf0000 end_va = 0xdc92bfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc92bf0000" filename = "" Region: id = 1138 start_va = 0xdc92c00000 end_va = 0xdc92c06fff entry_point = 0xdc92c00000 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 1139 start_va = 0xdc92c10000 end_va = 0xdc92c27fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc92c10000" filename = "" Region: id = 1140 start_va = 0xdc933f0000 end_va = 0xdc9342ffff entry_point = 0x0 region_type = private name = "private_0x000000dc933f0000" filename = "" Region: id = 1141 start_va = 0xdc93430000 end_va = 0xdc9346ffff entry_point = 0x0 region_type = private name = "private_0x000000dc93430000" filename = "" Region: id = 1142 start_va = 0xdc93470000 end_va = 0xdc935f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc93470000" filename = "" Region: id = 1143 start_va = 0xdc93600000 end_va = 0xdc93600fff entry_point = 0x0 region_type = private name = "private_0x000000dc93600000" filename = "" Region: id = 1144 start_va = 0xdc93610000 end_va = 0xdc9364ffff entry_point = 0x0 region_type = private name = "private_0x000000dc93610000" filename = "" Region: id = 1145 start_va = 0xdc93650000 end_va = 0xdc9368ffff entry_point = 0x0 region_type = private name = "private_0x000000dc93650000" filename = "" Region: id = 1146 start_va = 0xdc93690000 end_va = 0xdc936cffff entry_point = 0x0 region_type = private name = "private_0x000000dc93690000" filename = "" Region: id = 1147 start_va = 0xdc936d0000 end_va = 0xdc9379dfff entry_point = 0xdc936d0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1148 start_va = 0xdc937a0000 end_va = 0xdc937cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc937a0000" filename = "" Region: id = 1149 start_va = 0xdc937d0000 end_va = 0xdc94bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc937d0000" filename = "" Region: id = 1150 start_va = 0x7ff6acbae000 end_va = 0x7ff6acbaffff entry_point = 0x0 region_type = private name = "private_0x00007ff6acbae000" filename = "" Region: id = 1151 start_va = 0x7ff6accd3000 end_va = 0x7ff6accd4fff entry_point = 0x0 region_type = private name = "private_0x00007ff6accd3000" filename = "" Region: id = 1152 start_va = 0x7ff6accd5000 end_va = 0x7ff6accd6fff entry_point = 0x0 region_type = private name = "private_0x00007ff6accd5000" filename = "" Region: id = 1153 start_va = 0x7ff6accd7000 end_va = 0x7ff6accd8fff entry_point = 0x0 region_type = private name = "private_0x00007ff6accd7000" filename = "" Region: id = 1163 start_va = 0x7ff9fc6f0000 end_va = 0x7ff9fc786fff entry_point = 0x7ff9fc6f0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1164 start_va = 0xdc94bd0000 end_va = 0xdc94bd0fff entry_point = 0x0 region_type = private name = "private_0x000000dc94bd0000" filename = "" Region: id = 1165 start_va = 0xdc94be0000 end_va = 0xdc94be0fff entry_point = 0x0 region_type = private name = "private_0x000000dc94be0000" filename = "" Region: id = 1166 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1167 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1168 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1169 start_va = 0xdc94bf0000 end_va = 0xdc94bf3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94bf0000" filename = "" Region: id = 1171 start_va = 0xdc94bf0000 end_va = 0xdc94bf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94bf0000" filename = "" Region: id = 1190 start_va = 0xdc94bf0000 end_va = 0xdc94bfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94bf0000" filename = "" Region: id = 1191 start_va = 0xdc94c00000 end_va = 0xdc94c00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c00000" filename = "" Region: id = 1446 start_va = 0xdc94c00000 end_va = 0xdc94c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c00000" filename = "" Region: id = 1447 start_va = 0xdc94c10000 end_va = 0xdc94c10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c10000" filename = "" Region: id = 1594 start_va = 0xdc94c10000 end_va = 0xdc94c1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c10000" filename = "" Region: id = 1595 start_va = 0xdc94c20000 end_va = 0xdc94c2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c20000" filename = "" Region: id = 1596 start_va = 0xdc94c30000 end_va = 0xdc94c30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c30000" filename = "" Region: id = 2590 start_va = 0xdc94c30000 end_va = 0xdc94c3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c30000" filename = "" Region: id = 2591 start_va = 0xdc94c40000 end_va = 0xdc94c7ffff entry_point = 0x0 region_type = private name = "private_0x000000dc94c40000" filename = "" Region: id = 2592 start_va = 0xdc94c80000 end_va = 0xdc94d3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94c80000" filename = "" Region: id = 2593 start_va = 0xdc94d40000 end_va = 0xdc94d4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94d40000" filename = "" Region: id = 2594 start_va = 0xdc94d50000 end_va = 0xdc94e0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94d50000" filename = "" Region: id = 2595 start_va = 0xdc94e10000 end_va = 0xdc94e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94e10000" filename = "" Region: id = 2596 start_va = 0xdc94e20000 end_va = 0xdc94e2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94e20000" filename = "" Region: id = 2597 start_va = 0xdc94e30000 end_va = 0xdc94e6ffff entry_point = 0x0 region_type = private name = "private_0x000000dc94e30000" filename = "" Region: id = 2598 start_va = 0xdc94e70000 end_va = 0xdc94e7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94e70000" filename = "" Region: id = 2599 start_va = 0xdc94e80000 end_va = 0xdc94f3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94e80000" filename = "" Region: id = 2600 start_va = 0x7ff6acbaa000 end_va = 0x7ff6acbabfff entry_point = 0x0 region_type = private name = "private_0x00007ff6acbaa000" filename = "" Region: id = 2601 start_va = 0x7ff6acbac000 end_va = 0x7ff6acbadfff entry_point = 0x0 region_type = private name = "private_0x00007ff6acbac000" filename = "" Region: id = 2602 start_va = 0xdc94f40000 end_va = 0xdc94f40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94f40000" filename = "" Region: id = 2674 start_va = 0xdc94f40000 end_va = 0xdc94f4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94f40000" filename = "" Region: id = 2675 start_va = 0xdc94f50000 end_va = 0xdc94f50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dc94f50000" filename = "" Thread: id = 73 os_tid = 0x134 Thread: id = 83 os_tid = 0x158 Thread: id = 84 os_tid = 0x15c Thread: id = 85 os_tid = 0x160 Thread: id = 86 os_tid = 0x164 Thread: id = 98 os_tid = 0x19c Thread: id = 105 os_tid = 0x1b8 Thread: id = 107 os_tid = 0x1c0 Thread: id = 165 os_tid = 0x2b0 Thread: id = 219 os_tid = 0x38c Process: id = "15" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x517da000" os_pid = "0x168" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xe8" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 00000050 " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 925 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 926 start_va = 0xefca0e0000 end_va = 0xefca0fffff entry_point = 0x0 region_type = private name = "private_0x000000efca0e0000" filename = "" Region: id = 927 start_va = 0xefca100000 end_va = 0xefca10efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000efca100000" filename = "" Region: id = 928 start_va = 0xefca110000 end_va = 0xefca18ffff entry_point = 0x0 region_type = private name = "private_0x000000efca110000" filename = "" Region: id = 929 start_va = 0x7ff64ebc0000 end_va = 0x7ff64ebe2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff64ebc0000" filename = "" Region: id = 930 start_va = 0x7ff64ebea000 end_va = 0x7ff64ebeafff entry_point = 0x0 region_type = private name = "private_0x00007ff64ebea000" filename = "" Region: id = 931 start_va = 0x7ff64ebee000 end_va = 0x7ff64ebeffff entry_point = 0x0 region_type = private name = "private_0x00007ff64ebee000" filename = "" Region: id = 932 start_va = 0x7ff64f320000 end_va = 0x7ff64f344fff entry_point = 0x7ff64f320000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 933 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 87 os_tid = 0x16c Process: id = "16" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x51477000" os_pid = "0x170" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0x168" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 934 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 935 start_va = 0x458deb0000 end_va = 0x458decffff entry_point = 0x0 region_type = private name = "private_0x000000458deb0000" filename = "" Region: id = 936 start_va = 0x458ded0000 end_va = 0x458dedefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458ded0000" filename = "" Region: id = 937 start_va = 0x458dee0000 end_va = 0x458df1ffff entry_point = 0x0 region_type = private name = "private_0x000000458dee0000" filename = "" Region: id = 938 start_va = 0x7ff6ad800000 end_va = 0x7ff6ad822fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6ad800000" filename = "" Region: id = 939 start_va = 0x7ff6ad82c000 end_va = 0x7ff6ad82cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad82c000" filename = "" Region: id = 940 start_va = 0x7ff6ad82e000 end_va = 0x7ff6ad82ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad82e000" filename = "" Region: id = 941 start_va = 0x7ff6ad990000 end_va = 0x7ff6ad996fff entry_point = 0x7ff6ad990000 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 942 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 943 start_va = 0x458dfa0000 end_va = 0x458e09ffff entry_point = 0x0 region_type = private name = "private_0x000000458dfa0000" filename = "" Region: id = 944 start_va = 0x7ff6ad700000 end_va = 0x7ff6ad7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6ad700000" filename = "" Region: id = 945 start_va = 0x7ff9fc8a0000 end_va = 0x7ff9fc8d1fff entry_point = 0x7ff9fc8a0000 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 946 start_va = 0x7ff9fc8e0000 end_va = 0x7ff9fc8f2fff entry_point = 0x7ff9fc8e0000 region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 947 start_va = 0x7ff9fc900000 end_va = 0x7ff9fc915fff entry_point = 0x7ff9fc900000 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 948 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 949 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 950 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 951 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 963 start_va = 0x458deb0000 end_va = 0x458deb6fff entry_point = 0x0 region_type = private name = "private_0x000000458deb0000" filename = "" Region: id = 964 start_va = 0x458dec0000 end_va = 0x458dec2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458dec0000" filename = "" Region: id = 965 start_va = 0x458df20000 end_va = 0x458df9dfff entry_point = 0x458df20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 966 start_va = 0x458e0a0000 end_va = 0x458e220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458e0a0000" filename = "" Region: id = 967 start_va = 0x458e230000 end_va = 0x458e230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458e230000" filename = "" Region: id = 968 start_va = 0x458e240000 end_va = 0x458e63bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458e240000" filename = "" Region: id = 969 start_va = 0x458e640000 end_va = 0x458e640fff entry_point = 0x0 region_type = private name = "private_0x000000458e640000" filename = "" Region: id = 970 start_va = 0x458e650000 end_va = 0x458e650fff entry_point = 0x0 region_type = private name = "private_0x000000458e650000" filename = "" Region: id = 971 start_va = 0x458e660000 end_va = 0x458e660fff entry_point = 0x0 region_type = private name = "private_0x000000458e660000" filename = "" Region: id = 972 start_va = 0x458e670000 end_va = 0x458eb61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458e670000" filename = "" Region: id = 973 start_va = 0x458eb70000 end_va = 0x458eb70fff entry_point = 0x0 region_type = private name = "private_0x000000458eb70000" filename = "" Region: id = 974 start_va = 0x458eb80000 end_va = 0x458eb81fff entry_point = 0x458eb80000 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 975 start_va = 0x458eb90000 end_va = 0x458ebcffff entry_point = 0x0 region_type = private name = "private_0x000000458eb90000" filename = "" Region: id = 976 start_va = 0x7ff6ad82a000 end_va = 0x7ff6ad82bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad82a000" filename = "" Region: id = 977 start_va = 0x458ebd0000 end_va = 0x458ec0ffff entry_point = 0x0 region_type = private name = "private_0x000000458ebd0000" filename = "" Region: id = 978 start_va = 0x7ff6ad828000 end_va = 0x7ff6ad829fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad828000" filename = "" Region: id = 979 start_va = 0x7ff9fc890000 end_va = 0x7ff9fc89cfff entry_point = 0x7ff9fc890000 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 1103 start_va = 0x458dee0000 end_va = 0x458deeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458dee0000" filename = "" Region: id = 1104 start_va = 0x458def0000 end_va = 0x458def6fff entry_point = 0x458def0000 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 1105 start_va = 0x458df00000 end_va = 0x458df17fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458df00000" filename = "" Region: id = 1106 start_va = 0x458ec10000 end_va = 0x458ec4ffff entry_point = 0x0 region_type = private name = "private_0x000000458ec10000" filename = "" Region: id = 1107 start_va = 0x458ec50000 end_va = 0x458ec8ffff entry_point = 0x0 region_type = private name = "private_0x000000458ec50000" filename = "" Region: id = 1108 start_va = 0x458ec90000 end_va = 0x458ee17fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458ec90000" filename = "" Region: id = 1109 start_va = 0x458ee20000 end_va = 0x458ee20fff entry_point = 0x0 region_type = private name = "private_0x000000458ee20000" filename = "" Region: id = 1110 start_va = 0x458ee30000 end_va = 0x458ee6ffff entry_point = 0x0 region_type = private name = "private_0x000000458ee30000" filename = "" Region: id = 1111 start_va = 0x458ee70000 end_va = 0x458eeaffff entry_point = 0x0 region_type = private name = "private_0x000000458ee70000" filename = "" Region: id = 1112 start_va = 0x458eeb0000 end_va = 0x458eeeffff entry_point = 0x0 region_type = private name = "private_0x000000458eeb0000" filename = "" Region: id = 1113 start_va = 0x458eef0000 end_va = 0x458efbdfff entry_point = 0x458eef0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1114 start_va = 0x458efc0000 end_va = 0x458efeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458efc0000" filename = "" Region: id = 1115 start_va = 0x458eff0000 end_va = 0x45903effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458eff0000" filename = "" Region: id = 1116 start_va = 0x7ff6ad6fc000 end_va = 0x7ff6ad6fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad6fc000" filename = "" Region: id = 1117 start_va = 0x7ff6ad6fe000 end_va = 0x7ff6ad6fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad6fe000" filename = "" Region: id = 1118 start_va = 0x7ff6ad824000 end_va = 0x7ff6ad825fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad824000" filename = "" Region: id = 1119 start_va = 0x7ff6ad826000 end_va = 0x7ff6ad827fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad826000" filename = "" Region: id = 1657 start_va = 0x45903f0000 end_va = 0x459042ffff entry_point = 0x0 region_type = private name = "private_0x00000045903f0000" filename = "" Region: id = 1658 start_va = 0x7ff6ad6fa000 end_va = 0x7ff6ad6fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ad6fa000" filename = "" Region: id = 1659 start_va = 0x7ff9fc6f0000 end_va = 0x7ff9fc786fff entry_point = 0x7ff9fc6f0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1660 start_va = 0x4590430000 end_va = 0x4590430fff entry_point = 0x0 region_type = private name = "private_0x0000004590430000" filename = "" Region: id = 1661 start_va = 0x4590440000 end_va = 0x4590440fff entry_point = 0x0 region_type = private name = "private_0x0000004590440000" filename = "" Region: id = 1662 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1663 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1664 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1665 start_va = 0x4590450000 end_va = 0x4590453fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590450000" filename = "" Region: id = 1694 start_va = 0x4590450000 end_va = 0x4590452fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590450000" filename = "" Region: id = 1707 start_va = 0x4590450000 end_va = 0x459045ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590450000" filename = "" Region: id = 1708 start_va = 0x4590460000 end_va = 0x4590462fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590460000" filename = "" Region: id = 1762 start_va = 0x4590460000 end_va = 0x459046ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590460000" filename = "" Region: id = 1763 start_va = 0x4590470000 end_va = 0x4590472fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590470000" filename = "" Region: id = 1811 start_va = 0x4590470000 end_va = 0x4590471fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590470000" filename = "" Region: id = 1876 start_va = 0x4590470000 end_va = 0x4590470fff entry_point = 0x4590470000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1877 start_va = 0x4590480000 end_va = 0x4590481fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590480000" filename = "" Region: id = 1969 start_va = 0x4590470000 end_va = 0x4590471fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590470000" filename = "" Region: id = 2084 start_va = 0x4590470000 end_va = 0x4590471fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004590470000" filename = "" Region: id = 2138 start_va = 0x458e670000 end_va = 0x458e671fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000458e670000" filename = "" Thread: id = 88 os_tid = 0x174 Thread: id = 90 os_tid = 0x180 Thread: id = 91 os_tid = 0x184 Thread: id = 92 os_tid = 0x188 Thread: id = 93 os_tid = 0x18c Thread: id = 94 os_tid = 0x190 Thread: id = 102 os_tid = 0x1ac Thread: id = 106 os_tid = 0x1bc Thread: id = 108 os_tid = 0x1c4 Thread: id = 150 os_tid = 0x26c Process: id = "17" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x3f3ad000" os_pid = "0x178" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x128" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 952 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 953 start_va = 0x77d5e70000 end_va = 0x77d5e8ffff entry_point = 0x0 region_type = private name = "private_0x00000077d5e70000" filename = "" Region: id = 954 start_va = 0x77d5e90000 end_va = 0x77d5e9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d5e90000" filename = "" Region: id = 955 start_va = 0x77d5ea0000 end_va = 0x77d5f1ffff entry_point = 0x0 region_type = private name = "private_0x00000077d5ea0000" filename = "" Region: id = 956 start_va = 0x7ff78a460000 end_va = 0x7ff78a482fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff78a460000" filename = "" Region: id = 957 start_va = 0x7ff78a485000 end_va = 0x7ff78a485fff entry_point = 0x0 region_type = private name = "private_0x00007ff78a485000" filename = "" Region: id = 958 start_va = 0x7ff78a48e000 end_va = 0x7ff78a48ffff entry_point = 0x0 region_type = private name = "private_0x00007ff78a48e000" filename = "" Region: id = 959 start_va = 0x7ff78a810000 end_va = 0x7ff78a835fff entry_point = 0x7ff78a810000 region_type = mapped_file name = "wininit.exe" filename = "\\Windows\\System32\\wininit.exe" (normalized: "c:\\windows\\system32\\wininit.exe") Region: id = 960 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 980 start_va = 0x77d5fe0000 end_va = 0x77d60dffff entry_point = 0x0 region_type = private name = "private_0x00000077d5fe0000" filename = "" Region: id = 981 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 982 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 983 start_va = 0x77d5e70000 end_va = 0x77d5e7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d5e70000" filename = "" Region: id = 984 start_va = 0x7ff78a360000 end_va = 0x7ff78a45ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff78a360000" filename = "" Region: id = 985 start_va = 0x77d5f20000 end_va = 0x77d5f9dfff entry_point = 0x77d5f20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 986 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 987 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 988 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1007 start_va = 0x7ff9fc870000 end_va = 0x7ff9fc883fff entry_point = 0x7ff9fc870000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1011 start_va = 0x77d60e0000 end_va = 0x77d615ffff entry_point = 0x0 region_type = private name = "private_0x00000077d60e0000" filename = "" Region: id = 1012 start_va = 0x77d5e80000 end_va = 0x77d5e86fff entry_point = 0x0 region_type = private name = "private_0x00000077d5e80000" filename = "" Region: id = 1016 start_va = 0x77d6160000 end_va = 0x77d61dffff entry_point = 0x0 region_type = private name = "private_0x00000077d6160000" filename = "" Region: id = 1017 start_va = 0x77d5fa0000 end_va = 0x77d5fa6fff entry_point = 0x0 region_type = private name = "private_0x00000077d5fa0000" filename = "" Region: id = 1018 start_va = 0x7ff9fc810000 end_va = 0x7ff9fc819fff entry_point = 0x7ff9fc810000 region_type = mapped_file name = "wininitext.dll" filename = "\\Windows\\System32\\wininitext.dll" (normalized: "c:\\windows\\system32\\wininitext.dll") Region: id = 1019 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1020 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1021 start_va = 0x77d61e0000 end_va = 0x77d6367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d61e0000" filename = "" Region: id = 1022 start_va = 0x77d6370000 end_va = 0x77d64f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d6370000" filename = "" Region: id = 1023 start_va = 0x77d5fb0000 end_va = 0x77d5fb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d5fb0000" filename = "" Region: id = 1024 start_va = 0x77d5fc0000 end_va = 0x77d5fc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d5fc0000" filename = "" Region: id = 1025 start_va = 0x77d5fd0000 end_va = 0x77d5fd0fff entry_point = 0x0 region_type = private name = "private_0x00000077d5fd0000" filename = "" Region: id = 1026 start_va = 0x77d60e0000 end_va = 0x77d60e0fff entry_point = 0x0 region_type = private name = "private_0x00000077d60e0000" filename = "" Region: id = 1027 start_va = 0x77d6150000 end_va = 0x77d615ffff entry_point = 0x0 region_type = private name = "private_0x00000077d6150000" filename = "" Region: id = 1028 start_va = 0x77d6500000 end_va = 0x77d68fbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d6500000" filename = "" Region: id = 1029 start_va = 0x77d6900000 end_va = 0x77d697ffff entry_point = 0x0 region_type = private name = "private_0x00000077d6900000" filename = "" Region: id = 1030 start_va = 0x7ff78a48c000 end_va = 0x7ff78a48dfff entry_point = 0x0 region_type = private name = "private_0x00007ff78a48c000" filename = "" Region: id = 1031 start_va = 0x77d6980000 end_va = 0x77d69fffff entry_point = 0x0 region_type = private name = "private_0x00000077d6980000" filename = "" Region: id = 1032 start_va = 0x7ff78a48a000 end_va = 0x7ff78a48bfff entry_point = 0x0 region_type = private name = "private_0x00007ff78a48a000" filename = "" Region: id = 1033 start_va = 0x7ff9fc7e0000 end_va = 0x7ff9fc7e3fff entry_point = 0x7ff9fc7e0000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1034 start_va = 0x77d60f0000 end_va = 0x77d60f0fff entry_point = 0x0 region_type = private name = "private_0x00000077d60f0000" filename = "" Region: id = 1043 start_va = 0x77d6a00000 end_va = 0x77d7326fff entry_point = 0x77d6a00000 region_type = mapped_file name = "malgun.ttf" filename = "\\Windows\\Fonts\\malgun.ttf" (normalized: "c:\\windows\\fonts\\malgun.ttf") Region: id = 1058 start_va = 0x77d6a00000 end_va = 0x77d7ea1fff entry_point = 0x77d6a00000 region_type = mapped_file name = "msyh.ttc" filename = "\\Windows\\Fonts\\msyh.ttc" (normalized: "c:\\windows\\fonts\\msyh.ttc") Region: id = 1059 start_va = 0x77d6a00000 end_va = 0x77d7982fff entry_point = 0x77d6a00000 region_type = mapped_file name = "batang.ttc" filename = "\\Windows\\Fonts\\batang.ttc" (normalized: "c:\\windows\\fonts\\batang.ttc") Region: id = 1062 start_va = 0x77d6a00000 end_va = 0x77d7281fff entry_point = 0x77d6a00000 region_type = mapped_file name = "malgunbd.ttf" filename = "\\Windows\\Fonts\\malgunbd.ttf" (normalized: "c:\\windows\\fonts\\malgunbd.ttf") Region: id = 1063 start_va = 0x77d6a00000 end_va = 0x77d6acbfff entry_point = 0x77d6a00000 region_type = mapped_file name = "segoeuib.ttf" filename = "\\Windows\\Fonts\\segoeuib.ttf" (normalized: "c:\\windows\\fonts\\segoeuib.ttf") Region: id = 1065 start_va = 0x77d6a00000 end_va = 0x77d739dfff entry_point = 0x77d6a00000 region_type = mapped_file name = "msmincho.ttc" filename = "\\Windows\\Fonts\\msmincho.ttc" (normalized: "c:\\windows\\fonts\\msmincho.ttc") Region: id = 1066 start_va = 0x77d6a00000 end_va = 0x77d6acdfff entry_point = 0x77d6a00000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1069 start_va = 0x77d6a00000 end_va = 0x77d6ab6fff entry_point = 0x77d6a00000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 1070 start_va = 0x77d6a00000 end_va = 0x77d7b69fff entry_point = 0x77d6a00000 region_type = mapped_file name = "simsun.ttc" filename = "\\Windows\\Fonts\\simsun.ttc" (normalized: "c:\\windows\\fonts\\simsun.ttc") Region: id = 1072 start_va = 0x77d6a00000 end_va = 0x77d734afff entry_point = 0x77d6a00000 region_type = mapped_file name = "meiryob.ttc" filename = "\\Windows\\Fonts\\meiryob.ttc" (normalized: "c:\\windows\\fonts\\meiryob.ttc") Region: id = 1077 start_va = 0x77d6a00000 end_va = 0x77d72c8fff entry_point = 0x77d6a00000 region_type = mapped_file name = "msgothic.ttc" filename = "\\Windows\\Fonts\\msgothic.ttc" (normalized: "c:\\windows\\fonts\\msgothic.ttc") Region: id = 1078 start_va = 0x77d6a00000 end_va = 0x77d76e5fff entry_point = 0x77d6a00000 region_type = mapped_file name = "gulim.ttc" filename = "\\Windows\\Fonts\\gulim.ttc" (normalized: "c:\\windows\\fonts\\gulim.ttc") Region: id = 1079 start_va = 0x77d6a00000 end_va = 0x77d77c4fff entry_point = 0x77d6a00000 region_type = mapped_file name = "msjhbd.ttc" filename = "\\Windows\\Fonts\\msjhbd.ttc" (normalized: "c:\\windows\\fonts\\msjhbd.ttc") Region: id = 1082 start_va = 0x77d6a00000 end_va = 0x77d77cafff entry_point = 0x77d6a00000 region_type = mapped_file name = "msyhbd.ttc" filename = "\\Windows\\Fonts\\msyhbd.ttc" (normalized: "c:\\windows\\fonts\\msyhbd.ttc") Region: id = 1083 start_va = 0x77d6a00000 end_va = 0x77d6aa2fff entry_point = 0x77d6a00000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 1084 start_va = 0x77d6a00000 end_va = 0x77d843bfff entry_point = 0x77d6a00000 region_type = mapped_file name = "mingliu.ttc" filename = "\\Windows\\Fonts\\mingliu.ttc" (normalized: "c:\\windows\\fonts\\mingliu.ttc") Region: id = 1089 start_va = 0x77d6a00000 end_va = 0x77d7e7cfff entry_point = 0x77d6a00000 region_type = mapped_file name = "msjh.ttc" filename = "\\Windows\\Fonts\\msjh.ttc" (normalized: "c:\\windows\\fonts\\msjh.ttc") Region: id = 1090 start_va = 0x77d6a00000 end_va = 0x77d7315fff entry_point = 0x77d6a00000 region_type = mapped_file name = "meiryo.ttc" filename = "\\Windows\\Fonts\\meiryo.ttc" (normalized: "c:\\windows\\fonts\\meiryo.ttc") Region: id = 1092 start_va = 0x77d6100000 end_va = 0x77d6104fff entry_point = 0x77d6100000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1093 start_va = 0x77d6110000 end_va = 0x77d613ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d6110000" filename = "" Region: id = 1094 start_va = 0x7ff9fc7e0000 end_va = 0x7ff9fc7e3fff entry_point = 0x7ff9fc7e0000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1095 start_va = 0x77d5fb0000 end_va = 0x77d5fb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d5fb0000" filename = "" Region: id = 1096 start_va = 0x77d5fc0000 end_va = 0x77d5fc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d5fc0000" filename = "" Region: id = 1097 start_va = 0x77d60f0000 end_va = 0x77d60f4fff entry_point = 0x77d60f0000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1098 start_va = 0x77d6100000 end_va = 0x77d6107fff entry_point = 0x77d6100000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 1099 start_va = 0x77d6500000 end_va = 0x77d6587fff entry_point = 0x77d6500000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 1100 start_va = 0x77d6100000 end_va = 0x77d6107fff entry_point = 0x77d6100000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 1101 start_va = 0x77d6500000 end_va = 0x77d6587fff entry_point = 0x77d6500000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 1102 start_va = 0x77d6100000 end_va = 0x77d6107fff entry_point = 0x77d6100000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 1132 start_va = 0x7ff9fc780000 end_va = 0x7ff9fc787fff entry_point = 0x7ff9fc780000 region_type = mapped_file name = "wls0wndh.dll" filename = "\\Windows\\System32\\WlS0WndH.dll" (normalized: "c:\\windows\\system32\\wls0wndh.dll") Region: id = 1133 start_va = 0x77d6a00000 end_va = 0x77d7dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000077d6a00000" filename = "" Region: id = 1134 start_va = 0x77d6500000 end_va = 0x77d657ffff entry_point = 0x0 region_type = private name = "private_0x00000077d6500000" filename = "" Region: id = 1135 start_va = 0x77d6580000 end_va = 0x77d6854fff entry_point = 0x77d6580000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1136 start_va = 0x7ff78a488000 end_va = 0x7ff78a489fff entry_point = 0x0 region_type = private name = "private_0x00007ff78a488000" filename = "" Region: id = 1569 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1570 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1571 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1579 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1580 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1581 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1582 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1583 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1584 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1585 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1586 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1587 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1588 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1589 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Region: id = 1590 start_va = 0x77d6100000 end_va = 0x77d6100fff entry_point = 0x0 region_type = private name = "private_0x00000077d6100000" filename = "" Thread: id = 89 os_tid = 0x17c Thread: id = 99 os_tid = 0x1a0 Thread: id = 101 os_tid = 0x1a8 Thread: id = 110 os_tid = 0x1c8 Thread: id = 118 os_tid = 0x1f0 Process: id = "18" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x23bd000" os_pid = "0x194" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0x168" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 989 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 990 start_va = 0xe71f8e0000 end_va = 0xe71f8fffff entry_point = 0x0 region_type = private name = "private_0x000000e71f8e0000" filename = "" Region: id = 991 start_va = 0xe71f900000 end_va = 0xe71f90efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71f900000" filename = "" Region: id = 992 start_va = 0xe71f910000 end_va = 0xe71f98ffff entry_point = 0x0 region_type = private name = "private_0x000000e71f910000" filename = "" Region: id = 993 start_va = 0x7ff78b250000 end_va = 0x7ff78b272fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff78b250000" filename = "" Region: id = 994 start_va = 0x7ff78b27a000 end_va = 0x7ff78b27afff entry_point = 0x0 region_type = private name = "private_0x00007ff78b27a000" filename = "" Region: id = 995 start_va = 0x7ff78b27e000 end_va = 0x7ff78b27ffff entry_point = 0x0 region_type = private name = "private_0x00007ff78b27e000" filename = "" Region: id = 996 start_va = 0x7ff78b5a0000 end_va = 0x7ff78b62efff entry_point = 0x7ff78b5a0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 997 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 998 start_va = 0xe71fb30000 end_va = 0xe71fc2ffff entry_point = 0x0 region_type = private name = "private_0x000000e71fb30000" filename = "" Region: id = 999 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1000 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1001 start_va = 0xe71f8e0000 end_va = 0xe71f8effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71f8e0000" filename = "" Region: id = 1002 start_va = 0x7ff78b150000 end_va = 0x7ff78b24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff78b150000" filename = "" Region: id = 1003 start_va = 0xe71f990000 end_va = 0xe71fa0dfff entry_point = 0xe71f990000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1004 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1005 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1006 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1008 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1009 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1010 start_va = 0xe71f8f0000 end_va = 0xe71f8f6fff entry_point = 0x0 region_type = private name = "private_0x000000e71f8f0000" filename = "" Region: id = 1013 start_va = 0xe71fa10000 end_va = 0xe71fa7ffff entry_point = 0x0 region_type = private name = "private_0x000000e71fa10000" filename = "" Region: id = 1014 start_va = 0xe71fa10000 end_va = 0xe71fa16fff entry_point = 0x0 region_type = private name = "private_0x000000e71fa10000" filename = "" Region: id = 1015 start_va = 0xe71fa70000 end_va = 0xe71fa7ffff entry_point = 0x0 region_type = private name = "private_0x000000e71fa70000" filename = "" Region: id = 1035 start_va = 0x7ff9fc7f0000 end_va = 0x7ff9fc807fff entry_point = 0x7ff9fc7f0000 region_type = mapped_file name = "winlogonext.dll" filename = "\\Windows\\System32\\winlogonext.dll" (normalized: "c:\\windows\\system32\\winlogonext.dll") Region: id = 1036 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1037 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1038 start_va = 0xe71fa20000 end_va = 0xe71fa53fff entry_point = 0xe71fa20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1039 start_va = 0xe71fc30000 end_va = 0xe71fdb7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fc30000" filename = "" Region: id = 1040 start_va = 0x7ff9fcf70000 end_va = 0x7ff9fcfa3fff entry_point = 0x7ff9fcf70000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1041 start_va = 0x7ff9fdd30000 end_va = 0x7ff9fde68fff entry_point = 0x7ff9fdd30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1042 start_va = 0xe71fdc0000 end_va = 0xe71ff40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fdc0000" filename = "" Region: id = 1044 start_va = 0xe71fa20000 end_va = 0xe71fa22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fa20000" filename = "" Region: id = 1045 start_va = 0xe71fa30000 end_va = 0xe71fa30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fa30000" filename = "" Region: id = 1046 start_va = 0xe71fa40000 end_va = 0xe71fa40fff entry_point = 0x0 region_type = private name = "private_0x000000e71fa40000" filename = "" Region: id = 1047 start_va = 0xe71fa50000 end_va = 0xe71fa50fff entry_point = 0x0 region_type = private name = "private_0x000000e71fa50000" filename = "" Region: id = 1048 start_va = 0xe71ff50000 end_va = 0xe72034bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71ff50000" filename = "" Region: id = 1049 start_va = 0x7ff9fc870000 end_va = 0x7ff9fc883fff entry_point = 0x7ff9fc870000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1050 start_va = 0xe71fa80000 end_va = 0xe71fafffff entry_point = 0x0 region_type = private name = "private_0x000000e71fa80000" filename = "" Region: id = 1051 start_va = 0x7ff78b27c000 end_va = 0x7ff78b27dfff entry_point = 0x0 region_type = private name = "private_0x00007ff78b27c000" filename = "" Region: id = 1052 start_va = 0xe720350000 end_va = 0xe7203cffff entry_point = 0x0 region_type = private name = "private_0x000000e720350000" filename = "" Region: id = 1053 start_va = 0x7ff78b278000 end_va = 0x7ff78b279fff entry_point = 0x0 region_type = private name = "private_0x00007ff78b278000" filename = "" Region: id = 1054 start_va = 0x7ff9fc7e0000 end_va = 0x7ff9fc7e3fff entry_point = 0x7ff9fc7e0000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1055 start_va = 0xe71fa60000 end_va = 0xe71fa60fff entry_point = 0x0 region_type = private name = "private_0x000000e71fa60000" filename = "" Region: id = 1056 start_va = 0xe7203d0000 end_va = 0xe720cf6fff entry_point = 0xe7203d0000 region_type = mapped_file name = "malgun.ttf" filename = "\\Windows\\Fonts\\malgun.ttf" (normalized: "c:\\windows\\fonts\\malgun.ttf") Region: id = 1057 start_va = 0xe7203d0000 end_va = 0xe721871fff entry_point = 0xe7203d0000 region_type = mapped_file name = "msyh.ttc" filename = "\\Windows\\Fonts\\msyh.ttc" (normalized: "c:\\windows\\fonts\\msyh.ttc") Region: id = 1060 start_va = 0xe7203d0000 end_va = 0xe721352fff entry_point = 0xe7203d0000 region_type = mapped_file name = "batang.ttc" filename = "\\Windows\\Fonts\\batang.ttc" (normalized: "c:\\windows\\fonts\\batang.ttc") Region: id = 1061 start_va = 0xe7203d0000 end_va = 0xe720c51fff entry_point = 0xe7203d0000 region_type = mapped_file name = "malgunbd.ttf" filename = "\\Windows\\Fonts\\malgunbd.ttf" (normalized: "c:\\windows\\fonts\\malgunbd.ttf") Region: id = 1064 start_va = 0xe7203d0000 end_va = 0xe72049bfff entry_point = 0xe7203d0000 region_type = mapped_file name = "segoeuib.ttf" filename = "\\Windows\\Fonts\\segoeuib.ttf" (normalized: "c:\\windows\\fonts\\segoeuib.ttf") Region: id = 1067 start_va = 0xe7203d0000 end_va = 0xe720d6dfff entry_point = 0xe7203d0000 region_type = mapped_file name = "msmincho.ttc" filename = "\\Windows\\Fonts\\msmincho.ttc" (normalized: "c:\\windows\\fonts\\msmincho.ttc") Region: id = 1068 start_va = 0xe7203d0000 end_va = 0xe72049dfff entry_point = 0xe7203d0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1071 start_va = 0xe7203d0000 end_va = 0xe720486fff entry_point = 0xe7203d0000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 1073 start_va = 0xe7203d0000 end_va = 0xe721539fff entry_point = 0xe7203d0000 region_type = mapped_file name = "simsun.ttc" filename = "\\Windows\\Fonts\\simsun.ttc" (normalized: "c:\\windows\\fonts\\simsun.ttc") Region: id = 1074 start_va = 0xe7203d0000 end_va = 0xe720d1afff entry_point = 0xe7203d0000 region_type = mapped_file name = "meiryob.ttc" filename = "\\Windows\\Fonts\\meiryob.ttc" (normalized: "c:\\windows\\fonts\\meiryob.ttc") Region: id = 1075 start_va = 0xe7203d0000 end_va = 0xe720c98fff entry_point = 0xe7203d0000 region_type = mapped_file name = "msgothic.ttc" filename = "\\Windows\\Fonts\\msgothic.ttc" (normalized: "c:\\windows\\fonts\\msgothic.ttc") Region: id = 1076 start_va = 0xe7203d0000 end_va = 0xe7210b5fff entry_point = 0xe7203d0000 region_type = mapped_file name = "gulim.ttc" filename = "\\Windows\\Fonts\\gulim.ttc" (normalized: "c:\\windows\\fonts\\gulim.ttc") Region: id = 1080 start_va = 0xe7203d0000 end_va = 0xe721194fff entry_point = 0xe7203d0000 region_type = mapped_file name = "msjhbd.ttc" filename = "\\Windows\\Fonts\\msjhbd.ttc" (normalized: "c:\\windows\\fonts\\msjhbd.ttc") Region: id = 1081 start_va = 0xe7203d0000 end_va = 0xe72119afff entry_point = 0xe7203d0000 region_type = mapped_file name = "msyhbd.ttc" filename = "\\Windows\\Fonts\\msyhbd.ttc" (normalized: "c:\\windows\\fonts\\msyhbd.ttc") Region: id = 1085 start_va = 0xe7203d0000 end_va = 0xe720472fff entry_point = 0xe7203d0000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 1086 start_va = 0xe7203d0000 end_va = 0xe721e0bfff entry_point = 0xe7203d0000 region_type = mapped_file name = "mingliu.ttc" filename = "\\Windows\\Fonts\\mingliu.ttc" (normalized: "c:\\windows\\fonts\\mingliu.ttc") Region: id = 1087 start_va = 0xe7203d0000 end_va = 0xe72184cfff entry_point = 0xe7203d0000 region_type = mapped_file name = "msjh.ttc" filename = "\\Windows\\Fonts\\msjh.ttc" (normalized: "c:\\windows\\fonts\\msjh.ttc") Region: id = 1088 start_va = 0xe7203d0000 end_va = 0xe720ce5fff entry_point = 0xe7203d0000 region_type = mapped_file name = "meiryo.ttc" filename = "\\Windows\\Fonts\\meiryo.ttc" (normalized: "c:\\windows\\fonts\\meiryo.ttc") Region: id = 1091 start_va = 0xe71fb00000 end_va = 0xe71fb04fff entry_point = 0xe71fb00000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1120 start_va = 0xe7203d0000 end_va = 0xe7203fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e7203d0000" filename = "" Region: id = 1121 start_va = 0x7ff9fc7e0000 end_va = 0x7ff9fc7e3fff entry_point = 0x7ff9fc7e0000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1122 start_va = 0xe71fa20000 end_va = 0xe71fa22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fa20000" filename = "" Region: id = 1123 start_va = 0xe71fa30000 end_va = 0xe71fa30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fa30000" filename = "" Region: id = 1124 start_va = 0xe71fa60000 end_va = 0xe71fa64fff entry_point = 0xe71fa60000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1125 start_va = 0xe71fb00000 end_va = 0xe71fb07fff entry_point = 0xe71fb00000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 1126 start_va = 0xe71ff50000 end_va = 0xe71ffd7fff entry_point = 0xe71ff50000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 1127 start_va = 0xe71fb00000 end_va = 0xe71fb07fff entry_point = 0xe71fb00000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 1128 start_va = 0xe71ff50000 end_va = 0xe71ffd7fff entry_point = 0xe71ff50000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 1129 start_va = 0xe71fb00000 end_va = 0xe71fb07fff entry_point = 0xe71fb00000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 1130 start_va = 0xe71fb00000 end_va = 0xe71fb00fff entry_point = 0x0 region_type = private name = "private_0x000000e71fb00000" filename = "" Region: id = 1131 start_va = 0x7ff9fc790000 end_va = 0x7ff9fc7e6fff entry_point = 0x7ff9fc790000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1617 start_va = 0x7ff9fb720000 end_va = 0x7ff9fb735fff entry_point = 0x7ff9fb720000 region_type = mapped_file name = "uxinit.dll" filename = "\\Windows\\System32\\UXInit.dll" (normalized: "c:\\windows\\system32\\uxinit.dll") Region: id = 1621 start_va = 0xe71fb00000 end_va = 0xe71fb00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fb00000" filename = "" Region: id = 1622 start_va = 0x7ff9fb5c0000 end_va = 0x7ff9fb6e0fff entry_point = 0x7ff9fb5c0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1623 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1624 start_va = 0xe71ff50000 end_va = 0xe71ffdffff entry_point = 0x0 region_type = private name = "private_0x000000e71ff50000" filename = "" Region: id = 1626 start_va = 0x7ff9fcaf0000 end_va = 0x7ff9fccc6fff entry_point = 0x7ff9fcaf0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1627 start_va = 0x7ff9fc920000 end_va = 0x7ff9fc931fff entry_point = 0x7ff9fc920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1628 start_va = 0x7ff9fb560000 end_va = 0x7ff9fb568fff entry_point = 0x7ff9fb560000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1629 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1630 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1636 start_va = 0xe71ff50000 end_va = 0xe71ff8bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71ff50000" filename = "" Region: id = 1637 start_va = 0xe71ff90000 end_va = 0xe71ffcbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71ff90000" filename = "" Region: id = 1638 start_va = 0xe71ffd0000 end_va = 0xe71ffdffff entry_point = 0x0 region_type = private name = "private_0x000000e71ffd0000" filename = "" Region: id = 1639 start_va = 0xe71ffe0000 end_va = 0xe720147fff entry_point = 0x0 region_type = private name = "private_0x000000e71ffe0000" filename = "" Region: id = 1640 start_va = 0xe720400000 end_va = 0xe720686fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e720400000" filename = "" Region: id = 1641 start_va = 0xe720150000 end_va = 0xe720240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e720150000" filename = "" Region: id = 1642 start_va = 0xe71fb00000 end_va = 0xe71fb03fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fb00000" filename = "" Region: id = 1643 start_va = 0xe720690000 end_va = 0xe720916fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e720690000" filename = "" Region: id = 1644 start_va = 0xe71ffe0000 end_va = 0xe7200d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71ffe0000" filename = "" Region: id = 1645 start_va = 0xe71fb00000 end_va = 0xe71fb03fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fb00000" filename = "" Region: id = 1646 start_va = 0xe720690000 end_va = 0xe721a8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e720690000" filename = "" Region: id = 1647 start_va = 0xe71fb10000 end_va = 0xe71fb27fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71fb10000" filename = "" Region: id = 1648 start_va = 0xe71ff50000 end_va = 0xe71ff50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71ff50000" filename = "" Region: id = 1649 start_va = 0xe721a90000 end_va = 0xe721d64fff entry_point = 0xe721a90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1650 start_va = 0xe71ff50000 end_va = 0xe71ff50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71ff50000" filename = "" Region: id = 1652 start_va = 0xe71ff50000 end_va = 0xe71ffcffff entry_point = 0x0 region_type = private name = "private_0x000000e71ff50000" filename = "" Region: id = 1653 start_va = 0xe71ffe0000 end_va = 0xe72005ffff entry_point = 0x0 region_type = private name = "private_0x000000e71ffe0000" filename = "" Region: id = 1654 start_va = 0x7ff78b274000 end_va = 0x7ff78b275fff entry_point = 0x0 region_type = private name = "private_0x00007ff78b274000" filename = "" Region: id = 1655 start_va = 0x7ff78b276000 end_va = 0x7ff78b277fff entry_point = 0x0 region_type = private name = "private_0x00007ff78b276000" filename = "" Region: id = 1656 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1693 start_va = 0x7ff9fb4a0000 end_va = 0x7ff9fb527fff entry_point = 0x7ff9fb4a0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1697 start_va = 0xe71fb00000 end_va = 0xe71fb01fff entry_point = 0x0 region_type = private name = "private_0x000000e71fb00000" filename = "" Region: id = 1698 start_va = 0xe720060000 end_va = 0xe720060fff entry_point = 0x0 region_type = private name = "private_0x000000e720060000" filename = "" Region: id = 1699 start_va = 0x7ff7a8340000 end_va = 0x7ff7a8360fff entry_point = 0x7ff7a8340000 region_type = mapped_file name = "dwm.exe" filename = "\\Windows\\System32\\dwm.exe" (normalized: "c:\\windows\\system32\\dwm.exe") Region: id = 1700 start_va = 0xe720060000 end_va = 0xe7200c9fff entry_point = 0xe720060000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 1710 start_va = 0xe720060000 end_va = 0xe7200c9fff entry_point = 0xe720060000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 2224 start_va = 0xe71ff50000 end_va = 0xe71ff50fff entry_point = 0x0 region_type = private name = "private_0x000000e71ff50000" filename = "" Region: id = 2225 start_va = 0xe720060000 end_va = 0xe7200dffff entry_point = 0x0 region_type = private name = "private_0x000000e720060000" filename = "" Region: id = 2226 start_va = 0x7ff78b14e000 end_va = 0x7ff78b14ffff entry_point = 0x0 region_type = private name = "private_0x00007ff78b14e000" filename = "" Region: id = 2255 start_va = 0xe71ff50000 end_va = 0xe71ff50fff entry_point = 0x0 region_type = private name = "private_0x000000e71ff50000" filename = "" Region: id = 2256 start_va = 0xe721d70000 end_va = 0xe72216bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e721d70000" filename = "" Region: id = 2261 start_va = 0xe71ff50000 end_va = 0xe71ff50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e71ff50000" filename = "" Region: id = 2262 start_va = 0xe7200e0000 end_va = 0xe7201d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e7200e0000" filename = "" Thread: id = 96 os_tid = 0x198 Thread: id = 103 os_tid = 0x1b0 Thread: id = 104 os_tid = 0x1b4 Thread: id = 153 os_tid = 0x278 Thread: id = 154 os_tid = 0x27c Thread: id = 162 os_tid = 0x2a0 Process: id = "19" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x271b000" os_pid = "0x1d0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x178" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1154 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1155 start_va = 0x7a05a80000 end_va = 0x7a05a9ffff entry_point = 0x0 region_type = private name = "private_0x0000007a05a80000" filename = "" Region: id = 1156 start_va = 0x7a05aa0000 end_va = 0x7a05aaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a05aa0000" filename = "" Region: id = 1157 start_va = 0x7a05ab0000 end_va = 0x7a05b2ffff entry_point = 0x0 region_type = private name = "private_0x0000007a05ab0000" filename = "" Region: id = 1158 start_va = 0x7ff7e5e40000 end_va = 0x7ff7e5e62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7e5e40000" filename = "" Region: id = 1159 start_va = 0x7ff7e5e63000 end_va = 0x7ff7e5e63fff entry_point = 0x0 region_type = private name = "private_0x00007ff7e5e63000" filename = "" Region: id = 1160 start_va = 0x7ff7e5e6e000 end_va = 0x7ff7e5e6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7e5e6e000" filename = "" Region: id = 1161 start_va = 0x7ff7e6850000 end_va = 0x7ff7e68b4fff entry_point = 0x7ff7e6850000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1162 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1170 start_va = 0x7a05b30000 end_va = 0x7a05b33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a05b30000" filename = "" Region: id = 1172 start_va = 0x7a05b40000 end_va = 0x7a05b40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a05b40000" filename = "" Region: id = 1173 start_va = 0x7a05cd0000 end_va = 0x7a05dcffff entry_point = 0x0 region_type = private name = "private_0x0000007a05cd0000" filename = "" Region: id = 1174 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1175 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1176 start_va = 0x7a05a80000 end_va = 0x7a05a8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a05a80000" filename = "" Region: id = 1177 start_va = 0x7ff7e5d40000 end_va = 0x7ff7e5e3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7e5d40000" filename = "" Region: id = 1178 start_va = 0x7a05b50000 end_va = 0x7a05bcdfff entry_point = 0x7a05b50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1179 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1202 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1203 start_va = 0x7ff9fc870000 end_va = 0x7ff9fc883fff entry_point = 0x7ff9fc870000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1204 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1205 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1206 start_va = 0x7a05a90000 end_va = 0x7a05a96fff entry_point = 0x0 region_type = private name = "private_0x0000007a05a90000" filename = "" Region: id = 1207 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1212 start_va = 0x7ff9fc4d0000 end_va = 0x7ff9fc4dffff entry_point = 0x7ff9fc4d0000 region_type = mapped_file name = "scext.dll" filename = "\\Windows\\System32\\scext.dll" (normalized: "c:\\windows\\system32\\scext.dll") Region: id = 1213 start_va = 0x7ff9fc4c0000 end_va = 0x7ff9fc4c7fff entry_point = 0x7ff9fc4c0000 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1222 start_va = 0x7ff9fc4b0000 end_va = 0x7ff9fc4bafff entry_point = 0x7ff9fc4b0000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1223 start_va = 0x7ff9fc480000 end_va = 0x7ff9fc4a4fff entry_point = 0x7ff9fc480000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1224 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1225 start_va = 0x7a05dd0000 end_va = 0x7a05efffff entry_point = 0x0 region_type = private name = "private_0x0000007a05dd0000" filename = "" Region: id = 1226 start_va = 0x7a05bd0000 end_va = 0x7a05bd6fff entry_point = 0x0 region_type = private name = "private_0x0000007a05bd0000" filename = "" Region: id = 1227 start_va = 0x7ff9fc460000 end_va = 0x7ff9fc47cfff entry_point = 0x7ff9fc460000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 1237 start_va = 0x7a05be0000 end_va = 0x7a05be4fff entry_point = 0x7a05be0000 region_type = mapped_file name = "1394.pnf" filename = "\\Windows\\Inf\\1394.PNF" (normalized: "c:\\windows\\inf\\1394.pnf") Region: id = 1238 start_va = 0x7a05f00000 end_va = 0x7a061d4fff entry_point = 0x7a05f00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1239 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "acpi.pnf" filename = "\\Windows\\Inf\\acpi.PNF" (normalized: "c:\\windows\\inf\\acpi.pnf") Region: id = 1240 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "acpipagr.pnf" filename = "\\Windows\\Inf\\acpipagr.PNF" (normalized: "c:\\windows\\inf\\acpipagr.pnf") Region: id = 1241 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "acpipmi.pnf" filename = "\\Windows\\Inf\\acpipmi.PNF" (normalized: "c:\\windows\\inf\\acpipmi.pnf") Region: id = 1242 start_va = 0x7a05be0000 end_va = 0x7a05cbffff entry_point = 0x7a05be0000 region_type = mapped_file name = "machine.pnf" filename = "\\Windows\\Inf\\machine.PNF" (normalized: "c:\\windows\\inf\\machine.pnf") Region: id = 1243 start_va = 0x7a05be0000 end_va = 0x7a05be6fff entry_point = 0x7a05be0000 region_type = mapped_file name = "cpu.pnf" filename = "\\Windows\\Inf\\cpu.PNF" (normalized: "c:\\windows\\inf\\cpu.pnf") Region: id = 1246 start_va = 0x7a05be0000 end_va = 0x7a05beefff entry_point = 0x7a05be0000 region_type = mapped_file name = "arcsas.pnf" filename = "\\Windows\\Inf\\arcsas.PNF" (normalized: "c:\\windows\\inf\\arcsas.pnf") Region: id = 1248 start_va = 0x7a05be0000 end_va = 0x7a05bf0fff entry_point = 0x7a05be0000 region_type = mapped_file name = "mshdc.pnf" filename = "\\Windows\\Inf\\mshdc.PNF" (normalized: "c:\\windows\\inf\\mshdc.pnf") Region: id = 1250 start_va = 0x7a05be0000 end_va = 0x7a05be3fff entry_point = 0x7a05be0000 region_type = mapped_file name = "netbvbda.pnf" filename = "\\Windows\\Inf\\netbvbda.PNF" (normalized: "c:\\windows\\inf\\netbvbda.pnf") Region: id = 1251 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "bcmfn2.pnf" filename = "\\Windows\\Inf\\bcmfn2.PNF" (normalized: "c:\\windows\\inf\\bcmfn2.pnf") Region: id = 1253 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "bthaudhid.pnf" filename = "\\Windows\\Inf\\bthaudhid.PNF" (normalized: "c:\\windows\\inf\\bthaudhid.pnf") Region: id = 1254 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "bthaudhid.pnf" filename = "\\Windows\\Inf\\bthaudhid.PNF" (normalized: "c:\\windows\\inf\\bthaudhid.pnf") Region: id = 1255 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "bthspp.pnf" filename = "\\Windows\\Inf\\bthspp.PNF" (normalized: "c:\\windows\\inf\\bthspp.pnf") Region: id = 1263 start_va = 0x7a05be0000 end_va = 0x7a05be3fff entry_point = 0x7a05be0000 region_type = mapped_file name = "cdrom.pnf" filename = "\\Windows\\Inf\\cdrom.PNF" (normalized: "c:\\windows\\inf\\cdrom.pnf") Region: id = 1264 start_va = 0x7a05be0000 end_va = 0x7a05be5fff entry_point = 0x7a05be0000 region_type = mapped_file name = "circlass.pnf" filename = "\\Windows\\Inf\\circlass.PNF" (normalized: "c:\\windows\\inf\\circlass.pnf") Region: id = 1266 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "cmbatt.pnf" filename = "\\Windows\\Inf\\cmbatt.PNF" (normalized: "c:\\windows\\inf\\cmbatt.pnf") Region: id = 1267 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "compositebus.pnf" filename = "\\Windows\\Inf\\CompositeBus.PNF" (normalized: "c:\\windows\\inf\\compositebus.pnf") Region: id = 1271 start_va = 0x7a05be0000 end_va = 0x7a05be4fff entry_point = 0x7a05be0000 region_type = mapped_file name = "disk.pnf" filename = "\\Windows\\Inf\\disk.PNF" (normalized: "c:\\windows\\inf\\disk.pnf") Region: id = 1274 start_va = 0x7a05be0000 end_va = 0x7a05be5fff entry_point = 0x7a05be0000 region_type = mapped_file name = "wdmaudio.pnf" filename = "\\Windows\\Inf\\wdmaudio.PNF" (normalized: "c:\\windows\\inf\\wdmaudio.pnf") Region: id = 1275 start_va = 0x7a05be0000 end_va = 0x7a05bfafff entry_point = 0x7a05be0000 region_type = mapped_file name = "net1ic64.pnf" filename = "\\Windows\\Inf\\net1ic64.PNF" (normalized: "c:\\windows\\inf\\net1ic64.pnf") Region: id = 1276 start_va = 0x7a05be0000 end_va = 0x7a05bfdfff entry_point = 0x7a05be0000 region_type = mapped_file name = "netevbda.pnf" filename = "\\Windows\\Inf\\netevbda.PNF" (normalized: "c:\\windows\\inf\\netevbda.pnf") Region: id = 1278 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "ehstortcgdrv.pnf" filename = "\\Windows\\Inf\\ehstortcgdrv.PNF" (normalized: "c:\\windows\\inf\\ehstortcgdrv.pnf") Region: id = 1279 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "errdev.pnf" filename = "\\Windows\\Inf\\errdev.PNF" (normalized: "c:\\windows\\inf\\errdev.pnf") Region: id = 1286 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "fdc.pnf" filename = "\\Windows\\Inf\\fdc.PNF" (normalized: "c:\\windows\\inf\\fdc.pnf") Region: id = 1289 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "flpydisk.pnf" filename = "\\Windows\\Inf\\flpydisk.PNF" (normalized: "c:\\windows\\inf\\flpydisk.pnf") Region: id = 1294 start_va = 0x7a05be0000 end_va = 0x7a05be6fff entry_point = 0x7a05be0000 region_type = mapped_file name = "cpu.pnf" filename = "\\Windows\\Inf\\cpu.PNF" (normalized: "c:\\windows\\inf\\cpu.pnf") Region: id = 1295 start_va = 0x7a05be0000 end_va = 0x7a05cbffff entry_point = 0x7a05be0000 region_type = mapped_file name = "machine.pnf" filename = "\\Windows\\Inf\\machine.PNF" (normalized: "c:\\windows\\inf\\machine.pnf") Region: id = 1296 start_va = 0x7a05be0000 end_va = 0x7a05be3fff entry_point = 0x7a05be0000 region_type = mapped_file name = "wgencounter.pnf" filename = "\\Windows\\Inf\\wgencounter.PNF" (normalized: "c:\\windows\\inf\\wgencounter.pnf") Region: id = 1297 start_va = 0x7a05be0000 end_va = 0x7a05bfffff entry_point = 0x7a05be0000 region_type = mapped_file name = "hdaudio.pnf" filename = "\\Windows\\Inf\\hdaudio.PNF" (normalized: "c:\\windows\\inf\\hdaudio.pnf") Region: id = 1301 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "hdaudbus.pnf" filename = "\\Windows\\Inf\\hdaudbus.PNF" (normalized: "c:\\windows\\inf\\hdaudbus.pnf") Region: id = 1302 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "hidbatt.pnf" filename = "\\Windows\\Inf\\hidbatt.PNF" (normalized: "c:\\windows\\inf\\hidbatt.pnf") Region: id = 1304 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "hidbth.pnf" filename = "\\Windows\\Inf\\hidbth.PNF" (normalized: "c:\\windows\\inf\\hidbth.pnf") Region: id = 1305 start_va = 0x7a05be0000 end_va = 0x7a05be8fff entry_point = 0x7a05be0000 region_type = mapped_file name = "hidir.pnf" filename = "\\Windows\\Inf\\hidir.PNF" (normalized: "c:\\windows\\inf\\hidir.pnf") Region: id = 1309 start_va = 0x7a05be0000 end_va = 0x7a05c03fff entry_point = 0x7a05be0000 region_type = mapped_file name = "input.pnf" filename = "\\Windows\\Inf\\input.PNF" (normalized: "c:\\windows\\inf\\input.pnf") Region: id = 1310 start_va = 0x7a05be0000 end_va = 0x7a05bfdfff entry_point = 0x7a05be0000 region_type = mapped_file name = "keyboard.pnf" filename = "\\Windows\\Inf\\keyboard.PNF" (normalized: "c:\\windows\\inf\\keyboard.pnf") Region: id = 1313 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "ialpssi_gpio.pnf" filename = "\\Windows\\Inf\\ialpssi_gpio.PNF" (normalized: "c:\\windows\\inf\\ialpssi_gpio.pnf") Region: id = 1314 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "ialpssi_i2c.pnf" filename = "\\Windows\\Inf\\ialpssi_i2c.PNF" (normalized: "c:\\windows\\inf\\ialpssi_i2c.pnf") Region: id = 1316 start_va = 0x7a05be0000 end_va = 0x7a05be3fff entry_point = 0x7a05be0000 region_type = mapped_file name = "iastorv.pnf" filename = "\\Windows\\Inf\\iastorv.PNF" (normalized: "c:\\windows\\inf\\iastorv.pnf") Region: id = 1317 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "intelpep.pnf" filename = "\\Windows\\Inf\\intelpep.PNF" (normalized: "c:\\windows\\inf\\intelpep.pnf") Region: id = 1318 start_va = 0x7a05be0000 end_va = 0x7a05be6fff entry_point = 0x7a05be0000 region_type = mapped_file name = "cpu.pnf" filename = "\\Windows\\Inf\\cpu.PNF" (normalized: "c:\\windows\\inf\\cpu.pnf") Region: id = 1319 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "iscsi.pnf" filename = "\\Windows\\Inf\\iscsi.PNF" (normalized: "c:\\windows\\inf\\iscsi.pnf") Region: id = 1320 start_va = 0x7a05be0000 end_va = 0x7a05bfdfff entry_point = 0x7a05be0000 region_type = mapped_file name = "keyboard.pnf" filename = "\\Windows\\Inf\\keyboard.PNF" (normalized: "c:\\windows\\inf\\keyboard.pnf") Region: id = 1321 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "kdnic.pnf" filename = "\\Windows\\Inf\\kdnic.PNF" (normalized: "c:\\windows\\inf\\kdnic.pnf") Region: id = 1326 start_va = 0x7a05dd0000 end_va = 0x7a05ee8fff entry_point = 0x7a05dd0000 region_type = mapped_file name = "monitor.pnf" filename = "\\Windows\\Inf\\monitor.PNF" (normalized: "c:\\windows\\inf\\monitor.pnf") Region: id = 1327 start_va = 0x7a05ef0000 end_va = 0x7a05efffff entry_point = 0x0 region_type = private name = "private_0x0000007a05ef0000" filename = "" Region: id = 1330 start_va = 0x7a05be0000 end_va = 0x7a05bf6fff entry_point = 0x7a05be0000 region_type = mapped_file name = "msmouse.pnf" filename = "\\Windows\\Inf\\msmouse.PNF" (normalized: "c:\\windows\\inf\\msmouse.pnf") Region: id = 1331 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "msgpiowin32.pnf" filename = "\\Windows\\Inf\\msgpiowin32.PNF" (normalized: "c:\\windows\\inf\\msgpiowin32.pnf") Region: id = 1333 start_va = 0x7a05be0000 end_va = 0x7a05be4fff entry_point = 0x7a05be0000 region_type = mapped_file name = "ksfilter.pnf" filename = "\\Windows\\Inf\\ksfilter.PNF" (normalized: "c:\\windows\\inf\\ksfilter.pnf") Region: id = 1335 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "mssmbios.pnf" filename = "\\Windows\\Inf\\mssmbios.PNF" (normalized: "c:\\windows\\inf\\mssmbios.pnf") Region: id = 1338 start_va = 0x7a05be0000 end_va = 0x7a05be4fff entry_point = 0x7a05be0000 region_type = mapped_file name = "ksfilter.pnf" filename = "\\Windows\\Inf\\ksfilter.PNF" (normalized: "c:\\windows\\inf\\ksfilter.pnf") Region: id = 1339 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "mtconfig.pnf" filename = "\\Windows\\Inf\\mtconfig.PNF" (normalized: "c:\\windows\\inf\\mtconfig.pnf") Region: id = 1342 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "ndisuio.pnf" filename = "\\Windows\\Inf\\ndisuio.PNF" (normalized: "c:\\windows\\inf\\ndisuio.pnf") Region: id = 1343 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "netnb.pnf" filename = "\\Windows\\Inf\\netnb.PNF" (normalized: "c:\\windows\\inf\\netnb.pnf") Region: id = 1347 start_va = 0x7a05be0000 end_va = 0x7a05cbffff entry_point = 0x7a05be0000 region_type = mapped_file name = "machine.pnf" filename = "\\Windows\\Inf\\machine.PNF" (normalized: "c:\\windows\\inf\\machine.pnf") Region: id = 1359 start_va = 0x7a05be0000 end_va = 0x7a05be8fff entry_point = 0x7a05be0000 region_type = mapped_file name = "msports.pnf" filename = "\\Windows\\Inf\\msports.PNF" (normalized: "c:\\windows\\inf\\msports.pnf") Region: id = 1368 start_va = 0x7a05be0000 end_va = 0x7a05cbffff entry_point = 0x7a05be0000 region_type = mapped_file name = "machine.pnf" filename = "\\Windows\\Inf\\machine.PNF" (normalized: "c:\\windows\\inf\\machine.pnf") Region: id = 1371 start_va = 0x7a05be0000 end_va = 0x7a05be6fff entry_point = 0x7a05be0000 region_type = mapped_file name = "cpu.pnf" filename = "\\Windows\\Inf\\cpu.PNF" (normalized: "c:\\windows\\inf\\cpu.pnf") Region: id = 1391 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "rdpbus.pnf" filename = "\\Windows\\Inf\\rdpbus.PNF" (normalized: "c:\\windows\\inf\\rdpbus.pnf") Region: id = 1392 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "sbp2.pnf" filename = "\\Windows\\Inf\\sbp2.PNF" (normalized: "c:\\windows\\inf\\sbp2.pnf") Region: id = 1393 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "sdstor.pnf" filename = "\\Windows\\Inf\\sdstor.PNF" (normalized: "c:\\windows\\inf\\sdstor.pnf") Region: id = 1394 start_va = 0x7a05be0000 end_va = 0x7a05be8fff entry_point = 0x7a05be0000 region_type = mapped_file name = "msports.pnf" filename = "\\Windows\\Inf\\msports.PNF" (normalized: "c:\\windows\\inf\\msports.pnf") Region: id = 1395 start_va = 0x7a05be0000 end_va = 0x7a05bf6fff entry_point = 0x7a05be0000 region_type = mapped_file name = "msmouse.pnf" filename = "\\Windows\\Inf\\msmouse.PNF" (normalized: "c:\\windows\\inf\\msmouse.pnf") Region: id = 1396 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "flpydisk.pnf" filename = "\\Windows\\Inf\\flpydisk.PNF" (normalized: "c:\\windows\\inf\\flpydisk.pnf") Region: id = 1397 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "spaceport.pnf" filename = "\\Windows\\Inf\\spaceport.PNF" (normalized: "c:\\windows\\inf\\spaceport.pnf") Region: id = 1398 start_va = 0x7a05be0000 end_va = 0x7a05bf0fff entry_point = 0x7a05be0000 region_type = mapped_file name = "mshdc.pnf" filename = "\\Windows\\Inf\\mshdc.PNF" (normalized: "c:\\windows\\inf\\mshdc.pnf") Region: id = 1399 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "stornvme.pnf" filename = "\\Windows\\Inf\\stornvme.PNF" (normalized: "c:\\windows\\inf\\stornvme.pnf") Region: id = 1400 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "swenum.pnf" filename = "\\Windows\\Inf\\swenum.PNF" (normalized: "c:\\windows\\inf\\swenum.pnf") Region: id = 1401 start_va = 0x7a05be0000 end_va = 0x7a05be4fff entry_point = 0x7a05be0000 region_type = mapped_file name = "netip6.pnf" filename = "\\Windows\\Inf\\netip6.PNF" (normalized: "c:\\windows\\inf\\netip6.pnf") Region: id = 1402 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "termmou.pnf" filename = "\\Windows\\Inf\\termmou.PNF" (normalized: "c:\\windows\\inf\\termmou.pnf") Region: id = 1403 start_va = 0x7a05be0000 end_va = 0x7a05be3fff entry_point = 0x7a05be0000 region_type = mapped_file name = "tpm.pnf" filename = "\\Windows\\Inf\\tpm.PNF" (normalized: "c:\\windows\\inf\\tpm.pnf") Region: id = 1404 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "tsgenericusbdriver.pnf" filename = "\\Windows\\Inf\\tsgenericusbdriver.PNF" (normalized: "c:\\windows\\inf\\tsgenericusbdriver.pnf") Region: id = 1405 start_va = 0x7a05be0000 end_va = 0x7a05be3fff entry_point = 0x7a05be0000 region_type = mapped_file name = "nettun.pnf" filename = "\\Windows\\Inf\\nettun.PNF" (normalized: "c:\\windows\\inf\\nettun.pnf") Region: id = 1406 start_va = 0x7a05be0000 end_va = 0x7a05cbffff entry_point = 0x7a05be0000 region_type = mapped_file name = "machine.pnf" filename = "\\Windows\\Inf\\machine.PNF" (normalized: "c:\\windows\\inf\\machine.pnf") Region: id = 1407 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "uaspstor.pnf" filename = "\\Windows\\Inf\\uaspstor.PNF" (normalized: "c:\\windows\\inf\\uaspstor.pnf") Region: id = 1408 start_va = 0x7a05be0000 end_va = 0x7a05cbffff entry_point = 0x7a05be0000 region_type = mapped_file name = "machine.pnf" filename = "\\Windows\\Inf\\machine.PNF" (normalized: "c:\\windows\\inf\\machine.pnf") Region: id = 1409 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "umbus.pnf" filename = "\\Windows\\Inf\\umbus.PNF" (normalized: "c:\\windows\\inf\\umbus.pnf") Region: id = 1410 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "umpass.pnf" filename = "\\Windows\\Inf\\umpass.PNF" (normalized: "c:\\windows\\inf\\umpass.pnf") Region: id = 1411 start_va = 0x7a05be0000 end_va = 0x7a05bf1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "usb.pnf" filename = "\\Windows\\Inf\\usb.PNF" (normalized: "c:\\windows\\inf\\usb.pnf") Region: id = 1412 start_va = 0x7a05be0000 end_va = 0x7a05beefff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbcir.pnf" filename = "\\Windows\\Inf\\usbcir.PNF" (normalized: "c:\\windows\\inf\\usbcir.pnf") Region: id = 1413 start_va = 0x7a05be0000 end_va = 0x7a05c02fff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbport.pnf" filename = "\\Windows\\Inf\\usbport.PNF" (normalized: "c:\\windows\\inf\\usbport.pnf") Region: id = 1414 start_va = 0x7a05be0000 end_va = 0x7a05be4fff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbhub3.pnf" filename = "\\Windows\\Inf\\usbhub3.PNF" (normalized: "c:\\windows\\inf\\usbhub3.pnf") Region: id = 1415 start_va = 0x7a05be0000 end_va = 0x7a05c02fff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbport.pnf" filename = "\\Windows\\Inf\\usbport.PNF" (normalized: "c:\\windows\\inf\\usbport.pnf") Region: id = 1416 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbprint.pnf" filename = "\\Windows\\Inf\\usbprint.PNF" (normalized: "c:\\windows\\inf\\usbprint.pnf") Region: id = 1417 start_va = 0x7a05be0000 end_va = 0x7a05beefff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbstor.pnf" filename = "\\Windows\\Inf\\usbstor.PNF" (normalized: "c:\\windows\\inf\\usbstor.pnf") Region: id = 1418 start_va = 0x7a05be0000 end_va = 0x7a05c02fff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbport.pnf" filename = "\\Windows\\Inf\\usbport.PNF" (normalized: "c:\\windows\\inf\\usbport.pnf") Region: id = 1419 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "usbxhci.pnf" filename = "\\Windows\\Inf\\usbxhci.PNF" (normalized: "c:\\windows\\inf\\usbxhci.pnf") Region: id = 1420 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "vdrvroot.pnf" filename = "\\Windows\\Inf\\vdrvroot.PNF" (normalized: "c:\\windows\\inf\\vdrvroot.pnf") Region: id = 1421 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "volmgr.pnf" filename = "\\Windows\\Inf\\volmgr.PNF" (normalized: "c:\\windows\\inf\\volmgr.pnf") Region: id = 1422 start_va = 0x7a05be0000 end_va = 0x7a05be1fff entry_point = 0x7a05be0000 region_type = mapped_file name = "volume.pnf" filename = "\\Windows\\Inf\\volume.PNF" (normalized: "c:\\windows\\inf\\volume.pnf") Region: id = 1423 start_va = 0x7a05be0000 end_va = 0x7a05be2fff entry_point = 0x7a05be0000 region_type = mapped_file name = "wvpcivsp.pnf" filename = "\\Windows\\Inf\\wvpcivsp.PNF" (normalized: "c:\\windows\\inf\\wvpcivsp.pnf") Region: id = 1424 start_va = 0x7a05be0000 end_va = 0x7a05be3fff entry_point = 0x7a05be0000 region_type = mapped_file name = "hidbthle.pnf" filename = "\\Windows\\Inf\\hidbthle.PNF" (normalized: "c:\\windows\\inf\\hidbthle.pnf") Region: id = 1425 start_va = 0x7a05be0000 end_va = 0x7a05c5ffff entry_point = 0x0 region_type = private name = "private_0x0000007a05be0000" filename = "" Region: id = 1426 start_va = 0x7ff7e5e6c000 end_va = 0x7ff7e5e6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7e5e6c000" filename = "" Region: id = 1427 start_va = 0x7ff9fbb80000 end_va = 0x7ff9fbc07fff entry_point = 0x7ff9fbb80000 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 1428 start_va = 0x7a05c60000 end_va = 0x7a05c60fff entry_point = 0x0 region_type = private name = "private_0x0000007a05c60000" filename = "" Region: id = 1429 start_va = 0x7a05dd0000 end_va = 0x7a05e4ffff entry_point = 0x0 region_type = private name = "private_0x0000007a05dd0000" filename = "" Region: id = 1430 start_va = 0x7ff7e5e6a000 end_va = 0x7ff7e5e6bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7e5e6a000" filename = "" Region: id = 1431 start_va = 0x7ff9fbb30000 end_va = 0x7ff9fbb77fff entry_point = 0x7ff9fbb30000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1435 start_va = 0x7a05c60000 end_va = 0x7a05c67fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a05c60000" filename = "" Region: id = 1479 start_va = 0x7a05c70000 end_va = 0x7a05c72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a05c70000" filename = "" Region: id = 1480 start_va = 0x7a05c80000 end_va = 0x7a05c80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a05c80000" filename = "" Region: id = 1481 start_va = 0x7a05e50000 end_va = 0x7a05ecffff entry_point = 0x0 region_type = private name = "private_0x0000007a05e50000" filename = "" Region: id = 1482 start_va = 0x7a061e0000 end_va = 0x7a065dbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000007a061e0000" filename = "" Region: id = 1483 start_va = 0x7ff7e5e68000 end_va = 0x7ff7e5e69fff entry_point = 0x0 region_type = private name = "private_0x00007ff7e5e68000" filename = "" Region: id = 1567 start_va = 0x7a065e0000 end_va = 0x7a0665ffff entry_point = 0x0 region_type = private name = "private_0x0000007a065e0000" filename = "" Region: id = 1568 start_va = 0x7ff7e5e66000 end_va = 0x7ff7e5e67fff entry_point = 0x0 region_type = private name = "private_0x00007ff7e5e66000" filename = "" Region: id = 1873 start_va = 0x7a06660000 end_va = 0x7a066dffff entry_point = 0x0 region_type = private name = "private_0x0000007a06660000" filename = "" Region: id = 1874 start_va = 0x7ff7e5e64000 end_va = 0x7ff7e5e65fff entry_point = 0x0 region_type = private name = "private_0x00007ff7e5e64000" filename = "" Thread: id = 112 os_tid = 0x1d4 Thread: id = 126 os_tid = 0x208 Thread: id = 127 os_tid = 0x20c Thread: id = 132 os_tid = 0x224 Thread: id = 143 os_tid = 0x254 Thread: id = 175 os_tid = 0x2d8 Process: id = "20" image_name = "lsass.exe" filename = "c:\\windows\\system32\\lsass.exe" page_root = "0x36e1000" os_pid = "0x1d8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x178" cmd_line = "C:\\Windows\\system32\\lsass.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1180 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1181 start_va = 0x3e43290000 end_va = 0x3e432affff entry_point = 0x0 region_type = private name = "private_0x0000003e43290000" filename = "" Region: id = 1182 start_va = 0x3e432b0000 end_va = 0x3e432befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e432b0000" filename = "" Region: id = 1183 start_va = 0x3e432c0000 end_va = 0x3e4333ffff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1184 start_va = 0x3e43340000 end_va = 0x3e43343fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e43340000" filename = "" Region: id = 1185 start_va = 0x7ff6f3b50000 end_va = 0x7ff6f3b72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6f3b50000" filename = "" Region: id = 1186 start_va = 0x7ff6f3b7d000 end_va = 0x7ff6f3b7efff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3b7d000" filename = "" Region: id = 1187 start_va = 0x7ff6f3b7f000 end_va = 0x7ff6f3b7ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3b7f000" filename = "" Region: id = 1188 start_va = 0x7ff6f3c20000 end_va = 0x7ff6f3c2dfff entry_point = 0x7ff6f3c20000 region_type = mapped_file name = "lsass.exe" filename = "\\Windows\\System32\\lsass.exe" (normalized: "c:\\windows\\system32\\lsass.exe") Region: id = 1189 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1192 start_va = 0x3e43350000 end_va = 0x3e43350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e43350000" filename = "" Region: id = 1193 start_va = 0x3e43360000 end_va = 0x3e43361fff entry_point = 0x0 region_type = private name = "private_0x0000003e43360000" filename = "" Region: id = 1194 start_va = 0x3e43420000 end_va = 0x3e4351ffff entry_point = 0x0 region_type = private name = "private_0x0000003e43420000" filename = "" Region: id = 1195 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1196 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1197 start_va = 0x3e43290000 end_va = 0x3e4329ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e43290000" filename = "" Region: id = 1198 start_va = 0x7ff6f3a50000 end_va = 0x7ff6f3b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6f3a50000" filename = "" Region: id = 1199 start_va = 0x3e43370000 end_va = 0x3e433edfff entry_point = 0x3e43370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1200 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1201 start_va = 0x7ff9fc670000 end_va = 0x7ff9fc67afff entry_point = 0x7ff9fc670000 region_type = mapped_file name = "sspisrv.dll" filename = "\\Windows\\System32\\sspisrv.dll" (normalized: "c:\\windows\\system32\\sspisrv.dll") Region: id = 1208 start_va = 0x3e432a0000 end_va = 0x3e432a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e432a0000" filename = "" Region: id = 1209 start_va = 0x3e43520000 end_va = 0x3e4359ffff entry_point = 0x0 region_type = private name = "private_0x0000003e43520000" filename = "" Region: id = 1210 start_va = 0x7ff6f3b7b000 end_va = 0x7ff6f3b7cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3b7b000" filename = "" Region: id = 1211 start_va = 0x7ff9fc4e0000 end_va = 0x7ff9fc63cfff entry_point = 0x7ff9fc4e0000 region_type = mapped_file name = "lsasrv.dll" filename = "\\Windows\\System32\\lsasrv.dll" (normalized: "c:\\windows\\system32\\lsasrv.dll") Region: id = 1214 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1215 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1216 start_va = 0x3e433f0000 end_va = 0x3e433f6fff entry_point = 0x0 region_type = private name = "private_0x0000003e433f0000" filename = "" Region: id = 1217 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1218 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1219 start_va = 0x7ff9fc920000 end_va = 0x7ff9fc931fff entry_point = 0x7ff9fc920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1220 start_va = 0x3e435a0000 end_va = 0x3e4360ffff entry_point = 0x0 region_type = private name = "private_0x0000003e435a0000" filename = "" Region: id = 1221 start_va = 0x3e43400000 end_va = 0x3e43406fff entry_point = 0x0 region_type = private name = "private_0x0000003e43400000" filename = "" Region: id = 1228 start_va = 0x7ff9fc390000 end_va = 0x7ff9fc45dfff entry_point = 0x7ff9fc390000 region_type = mapped_file name = "samsrv.dll" filename = "\\Windows\\System32\\samsrv.dll" (normalized: "c:\\windows\\system32\\samsrv.dll") Region: id = 1229 start_va = 0x3e43410000 end_va = 0x3e4341ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e43410000" filename = "" Region: id = 1230 start_va = 0x3e43610000 end_va = 0x3e4368ffff entry_point = 0x0 region_type = private name = "private_0x0000003e43610000" filename = "" Region: id = 1231 start_va = 0x7ff6f3b79000 end_va = 0x7ff6f3b7afff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3b79000" filename = "" Region: id = 1232 start_va = 0x3e43690000 end_va = 0x3e43790fff entry_point = 0x0 region_type = private name = "private_0x0000003e43690000" filename = "" Region: id = 1233 start_va = 0x3e43690000 end_va = 0x3e43790fff entry_point = 0x0 region_type = private name = "private_0x0000003e43690000" filename = "" Region: id = 1234 start_va = 0x3e43690000 end_va = 0x3e43790fff entry_point = 0x0 region_type = private name = "private_0x0000003e43690000" filename = "" Region: id = 1235 start_va = 0x3e43690000 end_va = 0x3e43790fff entry_point = 0x0 region_type = private name = "private_0x0000003e43690000" filename = "" Region: id = 1236 start_va = 0x3e43690000 end_va = 0x3e43790fff entry_point = 0x0 region_type = private name = "private_0x0000003e43690000" filename = "" Region: id = 1244 start_va = 0x3e435a0000 end_va = 0x3e435affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435a0000" filename = "" Region: id = 1245 start_va = 0x3e43600000 end_va = 0x3e4360ffff entry_point = 0x0 region_type = private name = "private_0x0000003e43600000" filename = "" Region: id = 1247 start_va = 0x7ff9fc360000 end_va = 0x7ff9fc385fff entry_point = 0x7ff9fc360000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1249 start_va = 0x7ff9fc330000 end_va = 0x7ff9fc353fff entry_point = 0x7ff9fc330000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1252 start_va = 0x7ff9fc2f0000 end_va = 0x7ff9fc329fff entry_point = 0x7ff9fc2f0000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1256 start_va = 0x3e43690000 end_va = 0x3e4370ffff entry_point = 0x0 region_type = private name = "private_0x0000003e43690000" filename = "" Region: id = 1257 start_va = 0x3e43710000 end_va = 0x3e4378ffff entry_point = 0x0 region_type = private name = "private_0x0000003e43710000" filename = "" Region: id = 1258 start_va = 0x7ff6f3b75000 end_va = 0x7ff6f3b76fff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3b75000" filename = "" Region: id = 1259 start_va = 0x7ff6f3b77000 end_va = 0x7ff6f3b78fff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3b77000" filename = "" Region: id = 1260 start_va = 0x3e435b0000 end_va = 0x3e435b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435b0000" filename = "" Region: id = 1261 start_va = 0x3e435c0000 end_va = 0x3e435c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435c0000" filename = "" Region: id = 1262 start_va = 0x3e43790000 end_va = 0x3e43b8bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e43790000" filename = "" Region: id = 1265 start_va = 0x7ff9fc2e0000 end_va = 0x7ff9fc2e1fff entry_point = 0x7ff9fc2e0000 region_type = mapped_file name = "msprivs.dll" filename = "\\Windows\\System32\\msprivs.dll" (normalized: "c:\\windows\\system32\\msprivs.dll") Region: id = 1268 start_va = 0x7ff9fc290000 end_va = 0x7ff9fc2dffff entry_point = 0x7ff9fc290000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1269 start_va = 0x7ff9fc260000 end_va = 0x7ff9fc285fff entry_point = 0x7ff9fc260000 region_type = mapped_file name = "negoexts.dll" filename = "\\Windows\\System32\\negoexts.dll" (normalized: "c:\\windows\\system32\\negoexts.dll") Region: id = 1270 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1272 start_va = 0x7ff9fc240000 end_va = 0x7ff9fc257fff entry_point = 0x7ff9fc240000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1273 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1277 start_va = 0x7ff9fc150000 end_va = 0x7ff9fc23afff entry_point = 0x7ff9fc150000 region_type = mapped_file name = "kerberos.dll" filename = "\\Windows\\System32\\kerberos.dll" (normalized: "c:\\windows\\system32\\kerberos.dll") Region: id = 1280 start_va = 0x3e435d0000 end_va = 0x3e435dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435d0000" filename = "" Region: id = 1281 start_va = 0x7ff9fc130000 end_va = 0x7ff9fc14dfff entry_point = 0x7ff9fc130000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1282 start_va = 0x3e435e0000 end_va = 0x3e435e0fff entry_point = 0x0 region_type = private name = "private_0x0000003e435e0000" filename = "" Region: id = 1283 start_va = 0x3e435e0000 end_va = 0x3e435e0fff entry_point = 0x0 region_type = private name = "private_0x0000003e435e0000" filename = "" Region: id = 1284 start_va = 0x3e435e0000 end_va = 0x3e435e0fff entry_point = 0x0 region_type = private name = "private_0x0000003e435e0000" filename = "" Region: id = 1285 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1287 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1288 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1290 start_va = 0x3e435e0000 end_va = 0x3e435e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435e0000" filename = "" Region: id = 1291 start_va = 0x3e43b90000 end_va = 0x3e43c90fff entry_point = 0x0 region_type = private name = "private_0x0000003e43b90000" filename = "" Region: id = 1292 start_va = 0x3e43b90000 end_va = 0x3e43c90fff entry_point = 0x0 region_type = private name = "private_0x0000003e43b90000" filename = "" Region: id = 1293 start_va = 0x3e43b90000 end_va = 0x3e43c90fff entry_point = 0x0 region_type = private name = "private_0x0000003e43b90000" filename = "" Region: id = 1298 start_va = 0x7ff9fc060000 end_va = 0x7ff9fc0c7fff entry_point = 0x7ff9fc060000 region_type = mapped_file name = "msv1_0.dll" filename = "\\Windows\\System32\\msv1_0.dll" (normalized: "c:\\windows\\system32\\msv1_0.dll") Region: id = 1299 start_va = 0x3e435e0000 end_va = 0x3e435effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435e0000" filename = "" Region: id = 1300 start_va = 0x3e435e0000 end_va = 0x3e435e0fff entry_point = 0x0 region_type = private name = "private_0x0000003e435e0000" filename = "" Region: id = 1303 start_va = 0x7ff9fbf90000 end_va = 0x7ff9fc05efff entry_point = 0x7ff9fbf90000 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 1306 start_va = 0x7ff9fbee0000 end_va = 0x7ff9fbf82fff entry_point = 0x7ff9fbee0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1307 start_va = 0x7ff9fbea0000 end_va = 0x7ff9fbedcfff entry_point = 0x7ff9fbea0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1308 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1311 start_va = 0x7ff9fbe80000 end_va = 0x7ff9fbe9efff entry_point = 0x7ff9fbe80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1312 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1315 start_va = 0x7ff9fc870000 end_va = 0x7ff9fc883fff entry_point = 0x7ff9fc870000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1322 start_va = 0x7ff9fbe60000 end_va = 0x7ff9fbe7afff entry_point = 0x7ff9fbe60000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 1323 start_va = 0x3e435e0000 end_va = 0x3e435effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435e0000" filename = "" Region: id = 1324 start_va = 0x7ff9fbe10000 end_va = 0x7ff9fbe56fff entry_point = 0x7ff9fbe10000 region_type = mapped_file name = "pku2u.dll" filename = "\\Windows\\System32\\pku2u.dll" (normalized: "c:\\windows\\system32\\pku2u.dll") Region: id = 1325 start_va = 0x7ff9fbdb0000 end_va = 0x7ff9fbe0bfff entry_point = 0x7ff9fbdb0000 region_type = mapped_file name = "livessp.dll" filename = "\\Windows\\System32\\livessp.dll" (normalized: "c:\\windows\\system32\\livessp.dll") Region: id = 1328 start_va = 0x3e435e0000 end_va = 0x3e435e0fff entry_point = 0x0 region_type = private name = "private_0x0000003e435e0000" filename = "" Region: id = 1329 start_va = 0x7ff9fbd70000 end_va = 0x7ff9fbda4fff entry_point = 0x7ff9fbd70000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1332 start_va = 0x7ff9fbd30000 end_va = 0x7ff9fbd69fff entry_point = 0x7ff9fbd30000 region_type = mapped_file name = "wdigest.dll" filename = "\\Windows\\System32\\wdigest.dll" (normalized: "c:\\windows\\system32\\wdigest.dll") Region: id = 1334 start_va = 0x3e435e0000 end_va = 0x3e435effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e435e0000" filename = "" Region: id = 1336 start_va = 0x3e435e0000 end_va = 0x3e435f0fff entry_point = 0x3e435e0000 region_type = mapped_file name = "c_28591.nls" filename = "\\Windows\\System32\\C_28591.NLS" (normalized: "c:\\windows\\system32\\c_28591.nls") Region: id = 1337 start_va = 0x3e43b90000 end_va = 0x3e43e64fff entry_point = 0x3e43b90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1340 start_va = 0x7ff9fbcc0000 end_va = 0x7ff9fbd2afff entry_point = 0x7ff9fbcc0000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1341 start_va = 0x7ff9fcaf0000 end_va = 0x7ff9fccc6fff entry_point = 0x7ff9fcaf0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1344 start_va = 0x3e43e70000 end_va = 0x3e43e7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e43e70000" filename = "" Region: id = 1345 start_va = 0x3e43e70000 end_va = 0x3e43e70fff entry_point = 0x0 region_type = private name = "private_0x0000003e43e70000" filename = "" Region: id = 1346 start_va = 0x7ff9fbca0000 end_va = 0x7ff9fbcb1fff entry_point = 0x7ff9fbca0000 region_type = mapped_file name = "efslsaext.dll" filename = "\\Windows\\System32\\efslsaext.dll" (normalized: "c:\\windows\\system32\\efslsaext.dll") Region: id = 1348 start_va = 0x7ff9fbc60000 end_va = 0x7ff9fbc92fff entry_point = 0x7ff9fbc60000 region_type = mapped_file name = "dpapisrv.dll" filename = "\\Windows\\System32\\dpapisrv.dll" (normalized: "c:\\windows\\system32\\dpapisrv.dll") Region: id = 1349 start_va = 0x3e43e80000 end_va = 0x3e43efffff entry_point = 0x0 region_type = private name = "private_0x0000003e43e80000" filename = "" Region: id = 1350 start_va = 0x7ff6f3b73000 end_va = 0x7ff6f3b74fff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3b73000" filename = "" Region: id = 1351 start_va = 0x3e43f00000 end_va = 0x3e43f00fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f00000" filename = "" Region: id = 1352 start_va = 0x3e43f10000 end_va = 0x3e43f10fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f10000" filename = "" Region: id = 1353 start_va = 0x3e43f20000 end_va = 0x3e43f20fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f20000" filename = "" Region: id = 1354 start_va = 0x3e43f30000 end_va = 0x3e43f30fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f30000" filename = "" Region: id = 1355 start_va = 0x3e43f40000 end_va = 0x3e43f40fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f40000" filename = "" Region: id = 1356 start_va = 0x3e43f50000 end_va = 0x3e43f50fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f50000" filename = "" Region: id = 1357 start_va = 0x3e43f60000 end_va = 0x3e43f60fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f60000" filename = "" Region: id = 1358 start_va = 0x3e43f70000 end_va = 0x3e43f70fff entry_point = 0x0 region_type = private name = "private_0x0000003e43f70000" filename = "" Region: id = 1360 start_va = 0x7ff9fbc50000 end_va = 0x7ff9fbc59fff entry_point = 0x7ff9fbc50000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1361 start_va = 0x3e43f80000 end_va = 0x3e43ffffff entry_point = 0x0 region_type = private name = "private_0x0000003e43f80000" filename = "" Region: id = 1362 start_va = 0x7ff6f3a4e000 end_va = 0x7ff6f3a4ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3a4e000" filename = "" Region: id = 1363 start_va = 0x3e44000000 end_va = 0x3e4407ffff entry_point = 0x0 region_type = private name = "private_0x0000003e44000000" filename = "" Region: id = 1364 start_va = 0x7ff6f3a4c000 end_va = 0x7ff6f3a4dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3a4c000" filename = "" Region: id = 1365 start_va = 0x3e44080000 end_va = 0x3e440fffff entry_point = 0x0 region_type = private name = "private_0x0000003e44080000" filename = "" Region: id = 1366 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x3e44100000 region_type = mapped_file name = "b2178b99-f9f6-47ad-b0eb-4e709bc8dfda" filename = "\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\b2178b99-f9f6-47ad-b0eb-4e709bc8dfda" (normalized: "c:\\windows\\system32\\microsoft\\protect\\s-1-5-18\\user\\b2178b99-f9f6-47ad-b0eb-4e709bc8dfda") Region: id = 1367 start_va = 0x7ff6f3a4a000 end_va = 0x7ff6f3a4bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3a4a000" filename = "" Region: id = 1369 start_va = 0x3e44080000 end_va = 0x3e44080fff entry_point = 0x0 region_type = private name = "private_0x0000003e44080000" filename = "" Region: id = 1370 start_va = 0x7ff9fbc10000 end_va = 0x7ff9fbc56fff entry_point = 0x7ff9fbc10000 region_type = mapped_file name = "scecli.dll" filename = "\\Windows\\System32\\scecli.dll" (normalized: "c:\\windows\\system32\\scecli.dll") Region: id = 1372 start_va = 0x3e44080000 end_va = 0x3e440fffff entry_point = 0x0 region_type = private name = "private_0x0000003e44080000" filename = "" Region: id = 1373 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1374 start_va = 0x7ff6f3a4a000 end_va = 0x7ff6f3a4bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6f3a4a000" filename = "" Region: id = 1375 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1376 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1377 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1378 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1379 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1380 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1381 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1382 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1383 start_va = 0x3e44100000 end_va = 0x3e44100fff entry_point = 0x0 region_type = private name = "private_0x0000003e44100000" filename = "" Region: id = 1384 start_va = 0x3e432c0000 end_va = 0x3e432c0fff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1385 start_va = 0x3e432c0000 end_va = 0x3e432c0fff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1386 start_va = 0x3e432c0000 end_va = 0x3e432c0fff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1387 start_va = 0x3e432c0000 end_va = 0x3e432c0fff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1388 start_va = 0x3e432c0000 end_va = 0x3e432c0fff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1389 start_va = 0x3e432c0000 end_va = 0x3e432c0fff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1390 start_va = 0x3e432c0000 end_va = 0x3e432c0fff entry_point = 0x0 region_type = private name = "private_0x0000003e432c0000" filename = "" Region: id = 1432 start_va = 0x3e432c0000 end_va = 0x3e432c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e432c0000" filename = "" Region: id = 1433 start_va = 0x7ff9fbb20000 end_va = 0x7ff9fbb2bfff entry_point = 0x7ff9fbb20000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1434 start_va = 0x7ff9fc790000 end_va = 0x7ff9fc7e6fff entry_point = 0x7ff9fc790000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1634 start_va = 0x3e432c0000 end_va = 0x3e432fbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003e432c0000" filename = "" Region: id = 1635 start_va = 0x3e43300000 end_va = 0x3e43300fff entry_point = 0x3e43300000 region_type = mapped_file name = "c935af96-e1e7-4ce7-8449-cd5484d3bbb0" filename = "\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\c935af96-e1e7-4ce7-8449-cd5484d3bbb0" (normalized: "c:\\windows\\system32\\microsoft\\protect\\s-1-5-18\\c935af96-e1e7-4ce7-8449-cd5484d3bbb0") Region: id = 1990 start_va = 0x3e44000000 end_va = 0x3e440fffff entry_point = 0x0 region_type = private name = "private_0x0000003e44000000" filename = "" Region: id = 1991 start_va = 0x7ff9fa450000 end_va = 0x7ff9fa4b6fff entry_point = 0x7ff9fa450000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Thread: id = 113 os_tid = 0x1dc Thread: id = 114 os_tid = 0x1e0 Thread: id = 115 os_tid = 0x1e4 Thread: id = 116 os_tid = 0x1e8 Thread: id = 117 os_tid = 0x1ec Thread: id = 121 os_tid = 0x1f4 Thread: id = 122 os_tid = 0x1f8 Thread: id = 123 os_tid = 0x1fc Thread: id = 124 os_tid = 0x200 Thread: id = 125 os_tid = 0x204 Thread: id = 228 os_tid = 0x3b0 Process: id = "21" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x50fd000" os_pid = "0x210" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BrokerInfrastructure" [0xa], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\DeviceInstall" [0xa], "NT SERVICE\\LSM" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT SERVICE\\SystemEventsBroker" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000629a" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1436 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1437 start_va = 0x9b9c480000 end_va = 0x9b9c49ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9c480000" filename = "" Region: id = 1438 start_va = 0x9b9c4a0000 end_va = 0x9b9c4aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c4a0000" filename = "" Region: id = 1439 start_va = 0x9b9c4b0000 end_va = 0x9b9c52ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9c4b0000" filename = "" Region: id = 1440 start_va = 0x9b9c530000 end_va = 0x9b9c533fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c530000" filename = "" Region: id = 1441 start_va = 0x7ff606b40000 end_va = 0x7ff606b62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606b40000" filename = "" Region: id = 1442 start_va = 0x7ff606b6d000 end_va = 0x7ff606b6efff entry_point = 0x0 region_type = private name = "private_0x00007ff606b6d000" filename = "" Region: id = 1443 start_va = 0x7ff606b6f000 end_va = 0x7ff606b6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff606b6f000" filename = "" Region: id = 1444 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1445 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1448 start_va = 0x9b9c540000 end_va = 0x9b9c540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c540000" filename = "" Region: id = 1449 start_va = 0x9b9c550000 end_va = 0x9b9c551fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c550000" filename = "" Region: id = 1450 start_va = 0x9b9c630000 end_va = 0x9b9c72ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9c630000" filename = "" Region: id = 1451 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1452 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1453 start_va = 0x9b9c480000 end_va = 0x9b9c48ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c480000" filename = "" Region: id = 1454 start_va = 0x7ff606a40000 end_va = 0x7ff606b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606a40000" filename = "" Region: id = 1455 start_va = 0x9b9c560000 end_va = 0x9b9c5ddfff entry_point = 0x9b9c560000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1456 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1457 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1458 start_va = 0x9b9c490000 end_va = 0x9b9c496fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c490000" filename = "" Region: id = 1459 start_va = 0x9b9c730000 end_va = 0x9b9c7affff entry_point = 0x0 region_type = private name = "private_0x0000009b9c730000" filename = "" Region: id = 1460 start_va = 0x7ff606b6b000 end_va = 0x7ff606b6cfff entry_point = 0x0 region_type = private name = "private_0x00007ff606b6b000" filename = "" Region: id = 1461 start_va = 0x9b9c7b0000 end_va = 0x9b9c82ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9c7b0000" filename = "" Region: id = 1462 start_va = 0x7ff606b69000 end_va = 0x7ff606b6afff entry_point = 0x0 region_type = private name = "private_0x00007ff606b69000" filename = "" Region: id = 1463 start_va = 0x9b9c830000 end_va = 0x9b9cb04fff entry_point = 0x9b9c830000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1464 start_va = 0x7ff9fbaf0000 end_va = 0x7ff9fbb12fff entry_point = 0x7ff9fbaf0000 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 1465 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1466 start_va = 0x9b9cb10000 end_va = 0x9b9ccaffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cb10000" filename = "" Region: id = 1467 start_va = 0x9b9c5e0000 end_va = 0x9b9c5e6fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5e0000" filename = "" Region: id = 1468 start_va = 0x9b9cb10000 end_va = 0x9b9cb8ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cb10000" filename = "" Region: id = 1469 start_va = 0x9b9cca0000 end_va = 0x9b9ccaffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cca0000" filename = "" Region: id = 1470 start_va = 0x7ff606b67000 end_va = 0x7ff606b68fff entry_point = 0x0 region_type = private name = "private_0x00007ff606b67000" filename = "" Region: id = 1471 start_va = 0x7ff9fbad0000 end_va = 0x7ff9fbae5fff entry_point = 0x7ff9fbad0000 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 1472 start_va = 0x9b9cb90000 end_va = 0x9b9cc9ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cb90000" filename = "" Region: id = 1473 start_va = 0x7ff9fbac0000 end_va = 0x7ff9fbacefff entry_point = 0x7ff9fbac0000 region_type = mapped_file name = "umpoext.dll" filename = "\\Windows\\System32\\umpoext.dll" (normalized: "c:\\windows\\system32\\umpoext.dll") Region: id = 1474 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1475 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1476 start_va = 0x7ff9fbab0000 end_va = 0x7ff9fbabdfff entry_point = 0x7ff9fbab0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1477 start_va = 0x7ff9fbaa0000 end_va = 0x7ff9fbaacfff entry_point = 0x7ff9fbaa0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1478 start_va = 0x7ff9fba70000 end_va = 0x7ff9fba92fff entry_point = 0x7ff9fba70000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1484 start_va = 0x9b9c7b0000 end_va = 0x9b9c82ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9c7b0000" filename = "" Region: id = 1485 start_va = 0x7ff606b69000 end_va = 0x7ff606b6afff entry_point = 0x0 region_type = private name = "private_0x00007ff606b69000" filename = "" Region: id = 1486 start_va = 0x7ff9fb9b0000 end_va = 0x7ff9fba6bfff entry_point = 0x7ff9fb9b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1487 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1514 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1515 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1516 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1517 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1518 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1519 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1520 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1521 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1522 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1523 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1524 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c5f0000" filename = "" Region: id = 1525 start_va = 0x9b9cb10000 end_va = 0x9b9cb8ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cb10000" filename = "" Region: id = 1526 start_va = 0x7ff606b67000 end_va = 0x7ff606b68fff entry_point = 0x0 region_type = private name = "private_0x00007ff606b67000" filename = "" Region: id = 1527 start_va = 0x9b9c5f0000 end_va = 0x9b9c5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c5f0000" filename = "" Region: id = 1529 start_va = 0x9b9cb90000 end_va = 0x9b9cc0ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cb90000" filename = "" Region: id = 1530 start_va = 0x9b9cc90000 end_va = 0x9b9cc9ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cc90000" filename = "" Region: id = 1531 start_va = 0x7ff606b65000 end_va = 0x7ff606b66fff entry_point = 0x0 region_type = private name = "private_0x00007ff606b65000" filename = "" Region: id = 1552 start_va = 0x9b9cc10000 end_va = 0x9b9cc8ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cc10000" filename = "" Region: id = 1553 start_va = 0x7ff606b63000 end_va = 0x7ff606b64fff entry_point = 0x0 region_type = private name = "private_0x00007ff606b63000" filename = "" Region: id = 1572 start_va = 0x9b9ccb0000 end_va = 0x9b9cd2ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9ccb0000" filename = "" Region: id = 1573 start_va = 0x7ff606a3e000 end_va = 0x7ff606a3ffff entry_point = 0x0 region_type = private name = "private_0x00007ff606a3e000" filename = "" Region: id = 1574 start_va = 0x9b9c600000 end_va = 0x9b9c600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c600000" filename = "" Region: id = 1575 start_va = 0x9b9c610000 end_va = 0x9b9c626fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c610000" filename = "" Region: id = 1591 start_va = 0x9b9cd30000 end_va = 0x9b9cdaffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cd30000" filename = "" Region: id = 1592 start_va = 0x7ff606a3c000 end_va = 0x7ff606a3dfff entry_point = 0x0 region_type = private name = "private_0x00007ff606a3c000" filename = "" Region: id = 1593 start_va = 0x7ff9fb8b0000 end_va = 0x7ff9fb963fff entry_point = 0x7ff9fb8b0000 region_type = mapped_file name = "lsm.dll" filename = "\\Windows\\System32\\lsm.dll" (normalized: "c:\\windows\\system32\\lsm.dll") Region: id = 1597 start_va = 0x9b9c610000 end_va = 0x9b9c610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9c610000" filename = "" Region: id = 1599 start_va = 0x7ff9fb790000 end_va = 0x7ff9fb79afff entry_point = 0x7ff9fb790000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1604 start_va = 0x7ff9fb780000 end_va = 0x7ff9fb788fff entry_point = 0x7ff9fb780000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1605 start_va = 0x7ff9fb860000 end_va = 0x7ff9fb8a5fff entry_point = 0x7ff9fb860000 region_type = mapped_file name = "bisrv.dll" filename = "\\Windows\\System32\\bisrv.dll" (normalized: "c:\\windows\\system32\\bisrv.dll") Region: id = 1606 start_va = 0x7ff9fd190000 end_va = 0x7ff9fd246fff entry_point = 0x7ff9fd190000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1607 start_va = 0x7ff9fb750000 end_va = 0x7ff9fb773fff entry_point = 0x7ff9fb750000 region_type = mapped_file name = "psmsrv.dll" filename = "\\Windows\\System32\\psmsrv.dll" (normalized: "c:\\windows\\system32\\psmsrv.dll") Region: id = 1608 start_va = 0x9b9cdb0000 end_va = 0x9b9cf28fff entry_point = 0x9b9cdb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1609 start_va = 0x9b9cdb0000 end_va = 0x9b9ceaffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cdb0000" filename = "" Region: id = 1610 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1611 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1612 start_va = 0x9b9ceb0000 end_va = 0x9b9d08ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9ceb0000" filename = "" Region: id = 1613 start_va = 0x9b9c620000 end_va = 0x9b9c620fff entry_point = 0x0 region_type = private name = "private_0x0000009b9c620000" filename = "" Region: id = 1614 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1615 start_va = 0x7ff9fbe80000 end_va = 0x7ff9fbe9efff entry_point = 0x7ff9fbe80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1616 start_va = 0x7ff9fc870000 end_va = 0x7ff9fc883fff entry_point = 0x7ff9fc870000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1618 start_va = 0x9b9ccb0000 end_va = 0x9b9cd2ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9ccb0000" filename = "" Region: id = 1619 start_va = 0x7ff606a3e000 end_va = 0x7ff606a3ffff entry_point = 0x0 region_type = private name = "private_0x00007ff606a3e000" filename = "" Region: id = 1620 start_va = 0x7ff9fb6f0000 end_va = 0x7ff9fb715fff entry_point = 0x7ff9fb6f0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1625 start_va = 0x7ff9fb570000 end_va = 0x7ff9fb5b7fff entry_point = 0x7ff9fb570000 region_type = mapped_file name = "systemeventsbrokerserver.dll" filename = "\\Windows\\System32\\SystemEventsBrokerServer.dll" (normalized: "c:\\windows\\system32\\systemeventsbrokerserver.dll") Region: id = 1631 start_va = 0x9b9cd30000 end_va = 0x9b9cdaffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cd30000" filename = "" Region: id = 1632 start_va = 0x7ff606a3c000 end_va = 0x7ff606a3dfff entry_point = 0x0 region_type = private name = "private_0x00007ff606a3c000" filename = "" Region: id = 1633 start_va = 0x7ff9fb550000 end_va = 0x7ff9fb55afff entry_point = 0x7ff9fb550000 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 1651 start_va = 0x7ff9fb530000 end_va = 0x7ff9fb54afff entry_point = 0x7ff9fb530000 region_type = mapped_file name = "dab.dll" filename = "\\Windows\\System32\\dab.dll" (normalized: "c:\\windows\\system32\\dab.dll") Region: id = 1678 start_va = 0x9b9ceb0000 end_va = 0x9b9cf2ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9ceb0000" filename = "" Region: id = 1679 start_va = 0x9b9cf30000 end_va = 0x9b9cf30fff entry_point = 0x0 region_type = private name = "private_0x0000009b9cf30000" filename = "" Region: id = 1680 start_va = 0x9b9d080000 end_va = 0x9b9d08ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9d080000" filename = "" Region: id = 1681 start_va = 0x7ff606a3a000 end_va = 0x7ff606a3bfff entry_point = 0x0 region_type = private name = "private_0x00007ff606a3a000" filename = "" Region: id = 1682 start_va = 0x9b9cf30000 end_va = 0x9b9cfaffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cf30000" filename = "" Region: id = 1683 start_va = 0x7ff606a38000 end_va = 0x7ff606a39fff entry_point = 0x0 region_type = private name = "private_0x00007ff606a38000" filename = "" Region: id = 2112 start_va = 0x9b9ccb0000 end_va = 0x9b9ccb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9ccb0000" filename = "" Region: id = 2113 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2114 start_va = 0x9b9ccc0000 end_va = 0x9b9ccc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009b9ccc0000" filename = "" Region: id = 2274 start_va = 0x7ff9f8c60000 end_va = 0x7ff9f8c70fff entry_point = 0x7ff9f8c60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2277 start_va = 0x7ff9fc790000 end_va = 0x7ff9fc7e6fff entry_point = 0x7ff9fc790000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2319 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2633 start_va = 0x9b9cfb0000 end_va = 0x9b9d02ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9cfb0000" filename = "" Region: id = 2634 start_va = 0x7ff606a3e000 end_va = 0x7ff606a3ffff entry_point = 0x0 region_type = private name = "private_0x00007ff606a3e000" filename = "" Region: id = 2680 start_va = 0x9b9d090000 end_va = 0x9b9d10ffff entry_point = 0x0 region_type = private name = "private_0x0000009b9d090000" filename = "" Region: id = 2681 start_va = 0x7ff606a36000 end_va = 0x7ff606a37fff entry_point = 0x0 region_type = private name = "private_0x00007ff606a36000" filename = "" Thread: id = 128 os_tid = 0x214 Thread: id = 129 os_tid = 0x218 Thread: id = 130 os_tid = 0x21c Thread: id = 131 os_tid = 0x220 Thread: id = 133 os_tid = 0x228 Thread: id = 137 os_tid = 0x23c Thread: id = 138 os_tid = 0x240 Thread: id = 139 os_tid = 0x244 Thread: id = 141 os_tid = 0x24c Thread: id = 144 os_tid = 0x258 Thread: id = 145 os_tid = 0x25c Thread: id = 151 os_tid = 0x270 Thread: id = 152 os_tid = 0x274 Thread: id = 159 os_tid = 0x290 Thread: id = 160 os_tid = 0x294 Thread: id = 260 os_tid = 0x13c Thread: id = 268 os_tid = 0x1fc Process: id = "22" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5404000" os_pid = "0x22c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:000096cd" [0xc000000f], "LOCAL" [0x7] Region: id = 1488 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1489 start_va = 0x4de72a0000 end_va = 0x4de72bffff entry_point = 0x0 region_type = private name = "private_0x0000004de72a0000" filename = "" Region: id = 1490 start_va = 0x4de72c0000 end_va = 0x4de72cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de72c0000" filename = "" Region: id = 1491 start_va = 0x4de72d0000 end_va = 0x4de734ffff entry_point = 0x0 region_type = private name = "private_0x0000004de72d0000" filename = "" Region: id = 1492 start_va = 0x4de7350000 end_va = 0x4de7353fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de7350000" filename = "" Region: id = 1493 start_va = 0x7ff606cc0000 end_va = 0x7ff606ce2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606cc0000" filename = "" Region: id = 1494 start_va = 0x7ff606ce3000 end_va = 0x7ff606ce3fff entry_point = 0x0 region_type = private name = "private_0x00007ff606ce3000" filename = "" Region: id = 1495 start_va = 0x7ff606cee000 end_va = 0x7ff606ceffff entry_point = 0x0 region_type = private name = "private_0x00007ff606cee000" filename = "" Region: id = 1496 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1497 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1498 start_va = 0x4de7360000 end_va = 0x4de7360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de7360000" filename = "" Region: id = 1499 start_va = 0x4de7370000 end_va = 0x4de7371fff entry_point = 0x0 region_type = private name = "private_0x0000004de7370000" filename = "" Region: id = 1500 start_va = 0x4de74c0000 end_va = 0x4de75bffff entry_point = 0x0 region_type = private name = "private_0x0000004de74c0000" filename = "" Region: id = 1501 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1502 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1503 start_va = 0x4de72a0000 end_va = 0x4de72affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de72a0000" filename = "" Region: id = 1504 start_va = 0x7ff606bc0000 end_va = 0x7ff606cbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606bc0000" filename = "" Region: id = 1505 start_va = 0x4de7380000 end_va = 0x4de73fdfff entry_point = 0x4de7380000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1506 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1507 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1508 start_va = 0x4de72b0000 end_va = 0x4de72b6fff entry_point = 0x0 region_type = private name = "private_0x0000004de72b0000" filename = "" Region: id = 1509 start_va = 0x4de7400000 end_va = 0x4de747ffff entry_point = 0x0 region_type = private name = "private_0x0000004de7400000" filename = "" Region: id = 1510 start_va = 0x4de75c0000 end_va = 0x4de763ffff entry_point = 0x0 region_type = private name = "private_0x0000004de75c0000" filename = "" Region: id = 1511 start_va = 0x4de7640000 end_va = 0x4de7914fff entry_point = 0x4de7640000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1512 start_va = 0x7ff606cea000 end_va = 0x7ff606cebfff entry_point = 0x0 region_type = private name = "private_0x00007ff606cea000" filename = "" Region: id = 1513 start_va = 0x7ff606cec000 end_va = 0x7ff606cedfff entry_point = 0x0 region_type = private name = "private_0x00007ff606cec000" filename = "" Region: id = 1528 start_va = 0x7ff9fb990000 end_va = 0x7ff9fb9a5fff entry_point = 0x7ff9fb990000 region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 1532 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1533 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1534 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1535 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1536 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1537 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1538 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1539 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1540 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1541 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1542 start_va = 0x4de7480000 end_va = 0x4de7480fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1543 start_va = 0x7ff9fb970000 end_va = 0x7ff9fb981fff entry_point = 0x7ff9fb970000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1544 start_va = 0x4de7920000 end_va = 0x4de799ffff entry_point = 0x0 region_type = private name = "private_0x0000004de7920000" filename = "" Region: id = 1545 start_va = 0x7ff606ce8000 end_va = 0x7ff606ce9fff entry_point = 0x0 region_type = private name = "private_0x00007ff606ce8000" filename = "" Region: id = 1546 start_va = 0x7ff9fb9b0000 end_va = 0x7ff9fba6bfff entry_point = 0x7ff9fb9b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1547 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1548 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1549 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1550 start_va = 0x4de79a0000 end_va = 0x4de7b4ffff entry_point = 0x0 region_type = private name = "private_0x0000004de79a0000" filename = "" Region: id = 1551 start_va = 0x4de7480000 end_va = 0x4de7486fff entry_point = 0x0 region_type = private name = "private_0x0000004de7480000" filename = "" Region: id = 1554 start_va = 0x4de75c0000 end_va = 0x4de763ffff entry_point = 0x0 region_type = private name = "private_0x0000004de75c0000" filename = "" Region: id = 1555 start_va = 0x7ff606cea000 end_va = 0x7ff606cebfff entry_point = 0x0 region_type = private name = "private_0x00007ff606cea000" filename = "" Region: id = 1556 start_va = 0x7ff9fc130000 end_va = 0x7ff9fc14dfff entry_point = 0x7ff9fc130000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1557 start_va = 0x7ff9fbd70000 end_va = 0x7ff9fbda4fff entry_point = 0x7ff9fbd70000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1558 start_va = 0x7ff9fc360000 end_va = 0x7ff9fc385fff entry_point = 0x7ff9fc360000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1559 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1560 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1561 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1562 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1563 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1564 start_va = 0x4de7490000 end_va = 0x4de7492fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de7490000" filename = "" Region: id = 1565 start_va = 0x4de74a0000 end_va = 0x4de74a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de74a0000" filename = "" Region: id = 1566 start_va = 0x4de7b50000 end_va = 0x4de7f4bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de7b50000" filename = "" Region: id = 1576 start_va = 0x4de79a0000 end_va = 0x4de7a1ffff entry_point = 0x0 region_type = private name = "private_0x0000004de79a0000" filename = "" Region: id = 1577 start_va = 0x4de7b40000 end_va = 0x4de7b4ffff entry_point = 0x0 region_type = private name = "private_0x0000004de7b40000" filename = "" Region: id = 1578 start_va = 0x7ff606ce6000 end_va = 0x7ff606ce7fff entry_point = 0x0 region_type = private name = "private_0x00007ff606ce6000" filename = "" Region: id = 1598 start_va = 0x7ff9fb7a0000 end_va = 0x7ff9fb855fff entry_point = 0x7ff9fb7a0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1600 start_va = 0x4de7a20000 end_va = 0x4de7a9ffff entry_point = 0x0 region_type = private name = "private_0x0000004de7a20000" filename = "" Region: id = 1601 start_va = 0x7ff606ce4000 end_va = 0x7ff606ce5fff entry_point = 0x0 region_type = private name = "private_0x00007ff606ce4000" filename = "" Region: id = 1602 start_va = 0x4de7aa0000 end_va = 0x4de7b1ffff entry_point = 0x0 region_type = private name = "private_0x0000004de7aa0000" filename = "" Region: id = 1603 start_va = 0x7ff606bbe000 end_va = 0x7ff606bbffff entry_point = 0x0 region_type = private name = "private_0x00007ff606bbe000" filename = "" Region: id = 1676 start_va = 0x4de7f50000 end_va = 0x4de7fcffff entry_point = 0x0 region_type = private name = "private_0x0000004de7f50000" filename = "" Region: id = 1677 start_va = 0x7ff606bbc000 end_va = 0x7ff606bbdfff entry_point = 0x0 region_type = private name = "private_0x00007ff606bbc000" filename = "" Region: id = 2106 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2107 start_va = 0x4de74b0000 end_va = 0x4de74b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de74b0000" filename = "" Region: id = 2108 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2109 start_va = 0x4de7b20000 end_va = 0x4de7b20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004de7b20000" filename = "" Region: id = 2754 start_va = 0x7ff9f8800000 end_va = 0x7ff9f8866fff entry_point = 0x7ff9f8800000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Thread: id = 134 os_tid = 0x230 Thread: id = 135 os_tid = 0x234 Thread: id = 136 os_tid = 0x238 Thread: id = 140 os_tid = 0x248 Thread: id = 142 os_tid = 0x250 Thread: id = 146 os_tid = 0x260 Thread: id = 148 os_tid = 0x264 Thread: id = 149 os_tid = 0x268 Thread: id = 158 os_tid = 0x28c Process: id = "23" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x5f3b000" os_pid = "0x284" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x194" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1666 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1667 start_va = 0x8612ed0000 end_va = 0x8612eeffff entry_point = 0x0 region_type = private name = "private_0x0000008612ed0000" filename = "" Region: id = 1668 start_va = 0x8612ef0000 end_va = 0x8612efefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008612ef0000" filename = "" Region: id = 1669 start_va = 0x8612f00000 end_va = 0x8612f7ffff entry_point = 0x0 region_type = private name = "private_0x0000008612f00000" filename = "" Region: id = 1670 start_va = 0x8612f80000 end_va = 0x8612f83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008612f80000" filename = "" Region: id = 1671 start_va = 0x7ff6b21d0000 end_va = 0x7ff6b21f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6b21d0000" filename = "" Region: id = 1672 start_va = 0x7ff6b21f6000 end_va = 0x7ff6b21f6fff entry_point = 0x0 region_type = private name = "private_0x00007ff6b21f6000" filename = "" Region: id = 1673 start_va = 0x7ff6b21fe000 end_va = 0x7ff6b21fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6b21fe000" filename = "" Region: id = 1674 start_va = 0x7ff6b2de0000 end_va = 0x7ff6b2de7fff entry_point = 0x7ff6b2de0000 region_type = mapped_file name = "logonui.exe" filename = "\\Windows\\System32\\LogonUI.exe" (normalized: "c:\\windows\\system32\\logonui.exe") Region: id = 1675 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1695 start_va = 0x8612f90000 end_va = 0x8612f92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008612f90000" filename = "" Region: id = 1696 start_va = 0x8612fa0000 end_va = 0x8612fa1fff entry_point = 0x0 region_type = private name = "private_0x0000008612fa0000" filename = "" Region: id = 1701 start_va = 0x8613150000 end_va = 0x861324ffff entry_point = 0x0 region_type = private name = "private_0x0000008613150000" filename = "" Region: id = 1702 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1703 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1704 start_va = 0x8612ed0000 end_va = 0x8612edffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008612ed0000" filename = "" Region: id = 1705 start_va = 0x7ff6b20d0000 end_va = 0x7ff6b21cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6b20d0000" filename = "" Region: id = 1712 start_va = 0x8612fb0000 end_va = 0x861302dfff entry_point = 0x8612fb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1713 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1714 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1715 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1716 start_va = 0x8613250000 end_va = 0x86133effff entry_point = 0x0 region_type = private name = "private_0x0000008613250000" filename = "" Region: id = 1717 start_va = 0x8612ee0000 end_va = 0x8612ee6fff entry_point = 0x0 region_type = private name = "private_0x0000008612ee0000" filename = "" Region: id = 1718 start_va = 0x8613030000 end_va = 0x86130e7fff entry_point = 0x8613030000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1727 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1728 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1729 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1730 start_va = 0x8613030000 end_va = 0x8613036fff entry_point = 0x0 region_type = private name = "private_0x0000008613030000" filename = "" Region: id = 1731 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1732 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1733 start_va = 0x8613040000 end_va = 0x8613073fff entry_point = 0x8613040000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1734 start_va = 0x8613250000 end_va = 0x86133d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613250000" filename = "" Region: id = 1735 start_va = 0x86133e0000 end_va = 0x86133effff entry_point = 0x0 region_type = private name = "private_0x00000086133e0000" filename = "" Region: id = 1736 start_va = 0x7ff9fcf70000 end_va = 0x7ff9fcfa3fff entry_point = 0x7ff9fcf70000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1737 start_va = 0x7ff9fdd30000 end_va = 0x7ff9fde68fff entry_point = 0x7ff9fdd30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1738 start_va = 0x8613040000 end_va = 0x861306ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613040000" filename = "" Region: id = 1739 start_va = 0x86133f0000 end_va = 0x8613570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086133f0000" filename = "" Region: id = 1740 start_va = 0x8613070000 end_va = 0x8613070fff entry_point = 0x0 region_type = private name = "private_0x0000008613070000" filename = "" Region: id = 1741 start_va = 0x8613080000 end_va = 0x8613080fff entry_point = 0x0 region_type = private name = "private_0x0000008613080000" filename = "" Region: id = 1742 start_va = 0x7ff9fb5c0000 end_va = 0x7ff9fb6e0fff entry_point = 0x7ff9fb5c0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1743 start_va = 0x8613580000 end_va = 0x861369ffff entry_point = 0x0 region_type = private name = "private_0x0000008613580000" filename = "" Region: id = 1744 start_va = 0x8613090000 end_va = 0x8613090fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613090000" filename = "" Region: id = 1745 start_va = 0x8613580000 end_va = 0x8613670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613580000" filename = "" Region: id = 1746 start_va = 0x8613690000 end_va = 0x861369ffff entry_point = 0x0 region_type = private name = "private_0x0000008613690000" filename = "" Region: id = 1747 start_va = 0x8613090000 end_va = 0x8613093fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613090000" filename = "" Region: id = 1748 start_va = 0x86130a0000 end_va = 0x86130a6fff entry_point = 0x0 region_type = private name = "private_0x00000086130a0000" filename = "" Region: id = 1750 start_va = 0x86130b0000 end_va = 0x86130b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086130b0000" filename = "" Region: id = 1751 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1758 start_va = 0x86130c0000 end_va = 0x86130c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086130c0000" filename = "" Region: id = 1761 start_va = 0x7ff9fafd0000 end_va = 0x7ff9fb257fff entry_point = 0x7ff9fafd0000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 1764 start_va = 0x86130d0000 end_va = 0x86130d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086130d0000" filename = "" Region: id = 1765 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1767 start_va = 0x7ff9faed0000 end_va = 0x7ff9faf6efff entry_point = 0x7ff9faed0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1768 start_va = 0x7ff9ff4a0000 end_va = 0x7ff9ff4f0fff entry_point = 0x7ff9ff4a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1769 start_va = 0x7ff9fad20000 end_va = 0x7ff9faec9fff entry_point = 0x7ff9fad20000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 1796 start_va = 0x7ff9fad00000 end_va = 0x7ff9fad1ffff entry_point = 0x7ff9fad00000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1797 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1812 start_va = 0x86130e0000 end_va = 0x86130e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086130e0000" filename = "" Region: id = 1858 start_va = 0x7ff9fa760000 end_va = 0x7ff9fa9b9fff entry_point = 0x7ff9fa760000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\\comctl32.dll") Region: id = 1875 start_va = 0x86130f0000 end_va = 0x86130f0fff entry_point = 0x86130f0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1878 start_va = 0x8613100000 end_va = 0x8613101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613100000" filename = "" Region: id = 1946 start_va = 0x7ff9fa3a0000 end_va = 0x7ff9fa440fff entry_point = 0x7ff9fa3a0000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 1956 start_va = 0x86136a0000 end_va = 0x861371ffff entry_point = 0x0 region_type = private name = "private_0x00000086136a0000" filename = "" Region: id = 1957 start_va = 0x7ff6b21fc000 end_va = 0x7ff6b21fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6b21fc000" filename = "" Region: id = 1958 start_va = 0x86130f0000 end_va = 0x86130f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000086130f0000" filename = "" Region: id = 1959 start_va = 0x8613110000 end_va = 0x8613110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613110000" filename = "" Region: id = 1960 start_va = 0x8613720000 end_va = 0x8613b1bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613720000" filename = "" Region: id = 1968 start_va = 0x7ff9f9e90000 end_va = 0x7ff9f9ecdfff entry_point = 0x7ff9f9e90000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 1970 start_va = 0x8613120000 end_va = 0x8613121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613120000" filename = "" Region: id = 1971 start_va = 0x7ff9fd360000 end_va = 0x7ff9fd4d7fff entry_point = 0x7ff9fd360000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1972 start_va = 0x7ff9fbaa0000 end_va = 0x7ff9fbaacfff entry_point = 0x7ff9fbaa0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1974 start_va = 0x8613b20000 end_va = 0x8613bd5fff entry_point = 0x8613b20000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1976 start_va = 0x7ff9f9e20000 end_va = 0x7ff9f9e81fff entry_point = 0x7ff9f9e20000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1977 start_va = 0x7ff9fb6f0000 end_va = 0x7ff9fb715fff entry_point = 0x7ff9fb6f0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1978 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1979 start_va = 0x8613130000 end_va = 0x8613130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613130000" filename = "" Region: id = 1997 start_va = 0x7ff9f9df0000 end_va = 0x7ff9f9e1afff entry_point = 0x7ff9f9df0000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2012 start_va = 0x7ff9f9d90000 end_va = 0x7ff9f9db1fff entry_point = 0x7ff9f9d90000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 2029 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2030 start_va = 0x7ff9f9810000 end_va = 0x7ff9f986dfff entry_point = 0x7ff9f9810000 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 2077 start_va = 0x8613b20000 end_va = 0x8613b9ffff entry_point = 0x0 region_type = private name = "private_0x0000008613b20000" filename = "" Region: id = 2078 start_va = 0x7ff6b21fa000 end_va = 0x7ff6b21fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6b21fa000" filename = "" Region: id = 2080 start_va = 0x7ff9f9680000 end_va = 0x7ff9f97d0fff entry_point = 0x7ff9f9680000 region_type = mapped_file name = "smartcardcredentialprovider.dll" filename = "\\Windows\\System32\\SmartcardCredentialProvider.dll" (normalized: "c:\\windows\\system32\\smartcardcredentialprovider.dll") Region: id = 2082 start_va = 0x8613ba0000 end_va = 0x8613c1ffff entry_point = 0x0 region_type = private name = "private_0x0000008613ba0000" filename = "" Region: id = 2083 start_va = 0x7ff6b21f8000 end_va = 0x7ff6b21f9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6b21f8000" filename = "" Region: id = 2085 start_va = 0x8613140000 end_va = 0x8613141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613140000" filename = "" Region: id = 2088 start_va = 0x8613680000 end_va = 0x8613681fff entry_point = 0x8613680000 region_type = mapped_file name = "dui70.dll.mui" filename = "\\Windows\\System32\\en-US\\dui70.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dui70.dll.mui") Region: id = 2092 start_va = 0x7ff9f9550000 end_va = 0x7ff9f956cfff entry_point = 0x7ff9f9550000 region_type = mapped_file name = "cngcredui.dll" filename = "\\Windows\\System32\\cngcredui.dll" (normalized: "c:\\windows\\system32\\cngcredui.dll") Region: id = 2105 start_va = 0x7ff9f9370000 end_va = 0x7ff9f954efff entry_point = 0x7ff9f9370000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 2132 start_va = 0x8613c20000 end_va = 0x8613c9ffff entry_point = 0x0 region_type = private name = "private_0x0000008613c20000" filename = "" Region: id = 2133 start_va = 0x7ff6b21f4000 end_va = 0x7ff6b21f5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6b21f4000" filename = "" Region: id = 2134 start_va = 0x7ff9f92d0000 end_va = 0x7ff9f9323fff entry_point = 0x7ff9f92d0000 region_type = mapped_file name = "biocredprov.dll" filename = "\\Windows\\System32\\BioCredProv.dll" (normalized: "c:\\windows\\system32\\biocredprov.dll") Region: id = 2139 start_va = 0x8613ca0000 end_va = 0x8613ca1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008613ca0000" filename = "" Region: id = 2147 start_va = 0x7ff9f92b0000 end_va = 0x7ff9f92ccfff entry_point = 0x7ff9f92b0000 region_type = mapped_file name = "winbio.dll" filename = "\\Windows\\System32\\winbio.dll" (normalized: "c:\\windows\\system32\\winbio.dll") Region: id = 2148 start_va = 0x7ff9fc130000 end_va = 0x7ff9fc14dfff entry_point = 0x7ff9fc130000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2153 start_va = 0x7ff9f9240000 end_va = 0x7ff9f92a2fff entry_point = 0x7ff9f9240000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 2154 start_va = 0x8613cb0000 end_va = 0x8613cb0fff entry_point = 0x8613cb0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 2155 start_va = 0x7ff9f91e0000 end_va = 0x7ff9f9236fff entry_point = 0x7ff9f91e0000 region_type = mapped_file name = "certcredprovider.dll" filename = "\\Windows\\System32\\certCredProvider.dll" (normalized: "c:\\windows\\system32\\certcredprovider.dll") Region: id = 2156 start_va = 0x7ff9fd190000 end_va = 0x7ff9fd246fff entry_point = 0x7ff9fd190000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2157 start_va = 0x8613cc0000 end_va = 0x8613f94fff entry_point = 0x8613cc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2159 start_va = 0x7ff9f90d0000 end_va = 0x7ff9f911bfff entry_point = 0x7ff9f90d0000 region_type = mapped_file name = "wlidcredprov.dll" filename = "\\Windows\\System32\\wlidcredprov.dll" (normalized: "c:\\windows\\system32\\wlidcredprov.dll") Region: id = 2160 start_va = 0x8613fa0000 end_va = 0x861409ffff entry_point = 0x0 region_type = private name = "private_0x0000008613fa0000" filename = "" Region: id = 2161 start_va = 0x86140a0000 end_va = 0x861419ffff entry_point = 0x0 region_type = private name = "private_0x00000086140a0000" filename = "" Region: id = 2162 start_va = 0x7ff9f9d40000 end_va = 0x7ff9f9d8bfff entry_point = 0x7ff9f9d40000 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 2164 start_va = 0x7ff9fa4c0000 end_va = 0x7ff9fa53efff entry_point = 0x7ff9fa4c0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 2165 start_va = 0x7ff9fa550000 end_va = 0x7ff9fa757fff entry_point = 0x7ff9fa550000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 2166 start_va = 0x7ff9fa130000 end_va = 0x7ff9fa37cfff entry_point = 0x7ff9fa130000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 2167 start_va = 0x86141a0000 end_va = 0x86141a0fff entry_point = 0x0 region_type = private name = "private_0x00000086141a0000" filename = "" Region: id = 2168 start_va = 0x86141b0000 end_va = 0x86141b0fff entry_point = 0x0 region_type = private name = "private_0x00000086141b0000" filename = "" Region: id = 2169 start_va = 0x86141c0000 end_va = 0x86141c0fff entry_point = 0x0 region_type = private name = "private_0x00000086141c0000" filename = "" Region: id = 2170 start_va = 0x86141d0000 end_va = 0x861424ffff entry_point = 0x0 region_type = private name = "private_0x00000086141d0000" filename = "" Region: id = 2171 start_va = 0x7ff6b20ce000 end_va = 0x7ff6b20cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6b20ce000" filename = "" Region: id = 2172 start_va = 0x7ff9faf70000 end_va = 0x7ff9fafc9fff entry_point = 0x7ff9faf70000 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 2173 start_va = 0x8614250000 end_va = 0x8614250fff entry_point = 0x0 region_type = private name = "private_0x0000008614250000" filename = "" Region: id = 2174 start_va = 0x8614260000 end_va = 0x8614260fff entry_point = 0x0 region_type = private name = "private_0x0000008614260000" filename = "" Region: id = 2178 start_va = 0x7ff9f9170000 end_va = 0x7ff9f91dbfff entry_point = 0x7ff9f9170000 region_type = mapped_file name = "rasplap.dll" filename = "\\Windows\\System32\\rasplap.dll" (normalized: "c:\\windows\\system32\\rasplap.dll") Region: id = 2179 start_va = 0x7ff9f9020000 end_va = 0x7ff9f90ccfff entry_point = 0x7ff9f9020000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 2181 start_va = 0x7ff9f9d00000 end_va = 0x7ff9f9d11fff entry_point = 0x7ff9f9d00000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2182 start_va = 0x7ff9f9140000 end_va = 0x7ff9f916dfff entry_point = 0x7ff9f9140000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 2183 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2184 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2185 start_va = 0x8614270000 end_va = 0x8614270fff entry_point = 0x0 region_type = private name = "private_0x0000008614270000" filename = "" Region: id = 2188 start_va = 0x7ff9f9d30000 end_va = 0x7ff9f9d3cfff entry_point = 0x7ff9f9d30000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 2189 start_va = 0x8614280000 end_va = 0x8614374fff entry_point = 0x8614280000 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 2192 start_va = 0x8614280000 end_va = 0x8614374fff entry_point = 0x8614280000 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 2193 start_va = 0x8614380000 end_va = 0x8614380fff entry_point = 0x8614380000 region_type = mapped_file name = "basebrd.dll.mui" filename = "\\Windows\\Branding\\Basebrd\\en-US\\basebrd.dll.mui" (normalized: "c:\\windows\\branding\\basebrd\\en-us\\basebrd.dll.mui") Region: id = 2194 start_va = 0x8614390000 end_va = 0x86143a1fff entry_point = 0x0 region_type = private name = "private_0x0000008614390000" filename = "" Region: id = 2195 start_va = 0x7ff9fe050000 end_va = 0x7ff9ff466fff entry_point = 0x7ff9fe050000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2207 start_va = 0x7ff9fb4a0000 end_va = 0x7ff9fb527fff entry_point = 0x7ff9fb4a0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 2257 start_va = 0x7ff9f9130000 end_va = 0x7ff9f913cfff entry_point = 0x7ff9f9130000 region_type = mapped_file name = "authext.dll" filename = "\\Windows\\System32\\AuthExt.dll" (normalized: "c:\\windows\\system32\\authext.dll") Region: id = 2271 start_va = 0x7ff9f8e90000 end_va = 0x7ff9f8ff4fff entry_point = 0x7ff9f8e90000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2282 start_va = 0x8614280000 end_va = 0x8617115fff entry_point = 0x8614280000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2302 start_va = 0x8617120000 end_va = 0x861719ffff entry_point = 0x0 region_type = private name = "private_0x0000008617120000" filename = "" Region: id = 2303 start_va = 0x7ff6b20cc000 end_va = 0x7ff6b20cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6b20cc000" filename = "" Region: id = 2304 start_va = 0x7ff9f8af0000 end_va = 0x7ff9f8b0bfff entry_point = 0x7ff9f8af0000 region_type = mapped_file name = "networkstatus.dll" filename = "\\Windows\\System32\\NetworkStatus.dll" (normalized: "c:\\windows\\system32\\networkstatus.dll") Region: id = 2305 start_va = 0x86171a0000 end_va = 0x861729ffff entry_point = 0x0 region_type = private name = "private_0x00000086171a0000" filename = "" Region: id = 2309 start_va = 0x86172a0000 end_va = 0x861731ffff entry_point = 0x0 region_type = private name = "private_0x00000086172a0000" filename = "" Region: id = 2310 start_va = 0x7ff6b20ca000 end_va = 0x7ff6b20cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6b20ca000" filename = "" Region: id = 2311 start_va = 0x7ff9f8c60000 end_va = 0x7ff9f8c70fff entry_point = 0x7ff9f8c60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2312 start_va = 0x7ff9fc790000 end_va = 0x7ff9fc7e6fff entry_point = 0x7ff9fc790000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Thread: id = 157 os_tid = 0x288 Thread: id = 183 os_tid = 0x2fc Thread: id = 193 os_tid = 0x324 Thread: id = 194 os_tid = 0x328 Thread: id = 200 os_tid = 0x340 Thread: id = 204 os_tid = 0x34c Thread: id = 218 os_tid = 0x388 Thread: id = 221 os_tid = 0x394 Thread: id = 222 os_tid = 0x398 Process: id = "24" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x5fc3000" os_pid = "0x298" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x194" cmd_line = "\"dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "Window Manager\\DWM-1" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local Service" [0x7], "LOCAL" [0x7], "Window Manager\\Window Manager Group" [0x7] Region: id = 1684 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1685 start_va = 0xa74dbf0000 end_va = 0xa74dc0ffff entry_point = 0x0 region_type = private name = "private_0x000000a74dbf0000" filename = "" Region: id = 1686 start_va = 0xa74dc10000 end_va = 0xa74dc1efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74dc10000" filename = "" Region: id = 1687 start_va = 0xa74dc20000 end_va = 0xa74dc9ffff entry_point = 0x0 region_type = private name = "private_0x000000a74dc20000" filename = "" Region: id = 1688 start_va = 0x7ff7a82e0000 end_va = 0x7ff7a8302fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7a82e0000" filename = "" Region: id = 1689 start_va = 0x7ff7a830c000 end_va = 0x7ff7a830dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7a830c000" filename = "" Region: id = 1690 start_va = 0x7ff7a830e000 end_va = 0x7ff7a830efff entry_point = 0x0 region_type = private name = "private_0x00007ff7a830e000" filename = "" Region: id = 1691 start_va = 0x7ff7a8340000 end_va = 0x7ff7a8360fff entry_point = 0x7ff7a8340000 region_type = mapped_file name = "dwm.exe" filename = "\\Windows\\System32\\dwm.exe" (normalized: "c:\\windows\\system32\\dwm.exe") Region: id = 1692 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1706 start_va = 0xa74dca0000 end_va = 0xa74dca3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74dca0000" filename = "" Region: id = 1709 start_va = 0xa74dcb0000 end_va = 0xa74dcb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74dcb0000" filename = "" Region: id = 1711 start_va = 0xa74dcc0000 end_va = 0xa74dcc1fff entry_point = 0x0 region_type = private name = "private_0x000000a74dcc0000" filename = "" Region: id = 1719 start_va = 0xa74de60000 end_va = 0xa74df5ffff entry_point = 0x0 region_type = private name = "private_0x000000a74de60000" filename = "" Region: id = 1720 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1721 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1722 start_va = 0xa74dbf0000 end_va = 0xa74dbfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74dbf0000" filename = "" Region: id = 1723 start_va = 0x7ff7a81e0000 end_va = 0x7ff7a82dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7a81e0000" filename = "" Region: id = 1724 start_va = 0xa74dcd0000 end_va = 0xa74dd4dfff entry_point = 0xa74dcd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1725 start_va = 0x7ff9fb4a0000 end_va = 0x7ff9fb527fff entry_point = 0x7ff9fb4a0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1726 start_va = 0xa74dd50000 end_va = 0xa74ddb9fff entry_point = 0xa74dd50000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 1752 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1753 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1754 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1755 start_va = 0x7ff9fcf70000 end_va = 0x7ff9fcfa3fff entry_point = 0x7ff9fcf70000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1756 start_va = 0xa74dc00000 end_va = 0xa74dc06fff entry_point = 0x0 region_type = private name = "private_0x000000a74dc00000" filename = "" Region: id = 1757 start_va = 0x7ff9fb470000 end_va = 0x7ff9fb49bfff entry_point = 0x7ff9fb470000 region_type = mapped_file name = "dwmredir.dll" filename = "\\Windows\\System32\\dwmredir.dll" (normalized: "c:\\windows\\system32\\dwmredir.dll") Region: id = 1759 start_va = 0x7ff9fb260000 end_va = 0x7ff9fb46efff entry_point = 0x7ff9fb260000 region_type = mapped_file name = "dwmcore.dll" filename = "\\Windows\\System32\\dwmcore.dll" (normalized: "c:\\windows\\system32\\dwmcore.dll") Region: id = 1760 start_va = 0x7ff9fdd30000 end_va = 0x7ff9fde68fff entry_point = 0x7ff9fdd30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1766 start_va = 0x7ff9faf70000 end_va = 0x7ff9fafc9fff entry_point = 0x7ff9faf70000 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 1813 start_va = 0xa74dd50000 end_va = 0xa74de3ffff entry_point = 0x0 region_type = private name = "private_0x000000a74dd50000" filename = "" Region: id = 1814 start_va = 0xa74dd50000 end_va = 0xa74dd56fff entry_point = 0x0 region_type = private name = "private_0x000000a74dd50000" filename = "" Region: id = 1815 start_va = 0xa74de30000 end_va = 0xa74de3ffff entry_point = 0x0 region_type = private name = "private_0x000000a74de30000" filename = "" Region: id = 1816 start_va = 0xa74df60000 end_va = 0xa74e0e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74df60000" filename = "" Region: id = 1817 start_va = 0xa74e0f0000 end_va = 0xa74e270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74e0f0000" filename = "" Region: id = 1818 start_va = 0xa74e280000 end_va = 0xa74f67ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74e280000" filename = "" Region: id = 1826 start_va = 0xa74dd60000 end_va = 0xa74dd62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74dd60000" filename = "" Region: id = 1827 start_va = 0xa74dd70000 end_va = 0xa74dd70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74dd70000" filename = "" Region: id = 1828 start_va = 0xa74dd80000 end_va = 0xa74dd80fff entry_point = 0x0 region_type = private name = "private_0x000000a74dd80000" filename = "" Region: id = 1829 start_va = 0xa74dd90000 end_va = 0xa74dd90fff entry_point = 0x0 region_type = private name = "private_0x000000a74dd90000" filename = "" Region: id = 1830 start_va = 0xa74dda0000 end_va = 0xa74dda0fff entry_point = 0x0 region_type = private name = "private_0x000000a74dda0000" filename = "" Region: id = 1831 start_va = 0xa74f680000 end_va = 0xa74fa7bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74f680000" filename = "" Region: id = 1832 start_va = 0x7ff9fb5c0000 end_va = 0x7ff9fb6e0fff entry_point = 0x7ff9fb5c0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1833 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1834 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1835 start_va = 0xa74ddb0000 end_va = 0xa74de2ffff entry_point = 0x0 region_type = private name = "private_0x000000a74ddb0000" filename = "" Region: id = 1836 start_va = 0xa74ddb0000 end_va = 0xa74ddb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74ddb0000" filename = "" Region: id = 1837 start_va = 0xa74de20000 end_va = 0xa74de2ffff entry_point = 0x0 region_type = private name = "private_0x000000a74de20000" filename = "" Region: id = 1838 start_va = 0xa74fa80000 end_va = 0xa74fb70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74fa80000" filename = "" Region: id = 1839 start_va = 0xa74ddb0000 end_va = 0xa74ddb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74ddb0000" filename = "" Region: id = 1840 start_va = 0xa74ddc0000 end_va = 0xa74ddc6fff entry_point = 0x0 region_type = private name = "private_0x000000a74ddc0000" filename = "" Region: id = 1841 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1842 start_va = 0xa74fb80000 end_va = 0xa74fbfffff entry_point = 0x0 region_type = private name = "private_0x000000a74fb80000" filename = "" Region: id = 1843 start_va = 0xa74fc00000 end_va = 0xa74fc7ffff entry_point = 0x0 region_type = private name = "private_0x000000a74fc00000" filename = "" Region: id = 1844 start_va = 0x7ff7a8308000 end_va = 0x7ff7a8309fff entry_point = 0x0 region_type = private name = "private_0x00007ff7a8308000" filename = "" Region: id = 1845 start_va = 0x7ff7a830a000 end_va = 0x7ff7a830bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7a830a000" filename = "" Region: id = 1846 start_va = 0xa74ddd0000 end_va = 0xa74ddd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74ddd0000" filename = "" Region: id = 1847 start_va = 0xa74dde0000 end_va = 0xa74dde0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74dde0000" filename = "" Region: id = 1848 start_va = 0xa74fc00000 end_va = 0xa74fc7ffff entry_point = 0x0 region_type = private name = "private_0x000000a74fc00000" filename = "" Region: id = 1849 start_va = 0x7ff7a8308000 end_va = 0x7ff7a8309fff entry_point = 0x0 region_type = private name = "private_0x00007ff7a8308000" filename = "" Region: id = 1850 start_va = 0x7ff9fa9c0000 end_va = 0x7ff9fab52fff entry_point = 0x7ff9fa9c0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 1854 start_va = 0xa74ddf0000 end_va = 0xa74ddf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74ddf0000" filename = "" Region: id = 1855 start_va = 0xa74fc80000 end_va = 0xa74fcfffff entry_point = 0x0 region_type = private name = "private_0x000000a74fc80000" filename = "" Region: id = 1856 start_va = 0x7ff7a8306000 end_va = 0x7ff7a8307fff entry_point = 0x0 region_type = private name = "private_0x00007ff7a8306000" filename = "" Region: id = 1857 start_va = 0x7ff9fa540000 end_va = 0x7ff9fa54afff entry_point = 0x7ff9fa540000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1859 start_va = 0x7ff9fa550000 end_va = 0x7ff9fa757fff entry_point = 0x7ff9fa550000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 1860 start_va = 0xa74fd00000 end_va = 0xa74fd7ffff entry_point = 0x0 region_type = private name = "private_0x000000a74fd00000" filename = "" Region: id = 1861 start_va = 0x7ff7a8304000 end_va = 0x7ff7a8305fff entry_point = 0x0 region_type = private name = "private_0x00007ff7a8304000" filename = "" Region: id = 1862 start_va = 0x7ff9fa4c0000 end_va = 0x7ff9fa53efff entry_point = 0x7ff9fa4c0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 1943 start_va = 0xa74fd80000 end_va = 0xa750054fff entry_point = 0xa74fd80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1944 start_va = 0xa750060000 end_va = 0xa7500dffff entry_point = 0x0 region_type = private name = "private_0x000000a750060000" filename = "" Region: id = 1945 start_va = 0x7ff7a81de000 end_va = 0x7ff7a81dffff entry_point = 0x0 region_type = private name = "private_0x00007ff7a81de000" filename = "" Region: id = 1947 start_va = 0x7ff9fa130000 end_va = 0x7ff9fa37cfff entry_point = 0x7ff9fa130000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 1949 start_va = 0x7ff9fa130000 end_va = 0x7ff9fa37cfff entry_point = 0x7ff9fa130000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 1950 start_va = 0xa74de00000 end_va = 0xa74de00fff entry_point = 0x0 region_type = private name = "private_0x000000a74de00000" filename = "" Region: id = 1951 start_va = 0xa74de10000 end_va = 0xa74de10fff entry_point = 0x0 region_type = private name = "private_0x000000a74de10000" filename = "" Region: id = 1952 start_va = 0xa74de40000 end_va = 0xa74de40fff entry_point = 0x0 region_type = private name = "private_0x000000a74de40000" filename = "" Region: id = 1954 start_va = 0xa7500e0000 end_va = 0xa75015ffff entry_point = 0x0 region_type = private name = "private_0x000000a7500e0000" filename = "" Region: id = 1955 start_va = 0x7ff7a81dc000 end_va = 0x7ff7a81ddfff entry_point = 0x0 region_type = private name = "private_0x00007ff7a81dc000" filename = "" Region: id = 1962 start_va = 0xa74de50000 end_va = 0xa74de50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74de50000" filename = "" Region: id = 1963 start_va = 0x7ff9f9ed0000 end_va = 0x7ff9f9f95fff entry_point = 0x7ff9f9ed0000 region_type = mapped_file name = "udwm.dll" filename = "\\Windows\\System32\\uDWM.dll" (normalized: "c:\\windows\\system32\\udwm.dll") Region: id = 1973 start_va = 0xa750160000 end_va = 0xa750268fff entry_point = 0xa750160000 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 1998 start_va = 0xa750270000 end_va = 0xa7502effff entry_point = 0x0 region_type = private name = "private_0x000000a750270000" filename = "" Region: id = 1999 start_va = 0xa7502f0000 end_va = 0xa7503a7fff entry_point = 0xa7502f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2000 start_va = 0x7ff7a81da000 end_va = 0x7ff7a81dbfff entry_point = 0x0 region_type = private name = "private_0x00007ff7a81da000" filename = "" Region: id = 2001 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2002 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2003 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2004 start_va = 0xa74ddd0000 end_va = 0xa74ddd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a74ddd0000" filename = "" Region: id = 2005 start_va = 0xa7502f0000 end_va = 0xa7502f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a7502f0000" filename = "" Region: id = 2006 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2007 start_va = 0xa750300000 end_va = 0xa750300fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a750300000" filename = "" Region: id = 2013 start_va = 0x7ff9f9d40000 end_va = 0x7ff9f9d8bfff entry_point = 0x7ff9f9d40000 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 2021 start_va = 0xa750310000 end_va = 0xa750327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a750310000" filename = "" Region: id = 2022 start_va = 0xa750330000 end_va = 0xa75035ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a750330000" filename = "" Region: id = 2023 start_va = 0xa750360000 end_va = 0xa750360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a750360000" filename = "" Region: id = 2024 start_va = 0xa750370000 end_va = 0xa75046ffff entry_point = 0x0 region_type = private name = "private_0x000000a750370000" filename = "" Region: id = 2028 start_va = 0x7ff9f9870000 end_va = 0x7ff9f9cd6fff entry_point = 0x7ff9f9870000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 2076 start_va = 0xa750470000 end_va = 0xa75056ffff entry_point = 0x0 region_type = private name = "private_0x000000a750470000" filename = "" Region: id = 2087 start_va = 0xa750570000 end_va = 0xa7505a2fff entry_point = 0xa750570000 region_type = mapped_file name = "d2d1.dll.mui" filename = "\\Windows\\System32\\en-US\\d2d1.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\d2d1.dll.mui") Region: id = 2089 start_va = 0x7ff9f9590000 end_va = 0x7ff9f95c7fff entry_point = 0x7ff9f9590000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2093 start_va = 0xa7505b0000 end_va = 0xa7507affff entry_point = 0x0 region_type = private name = "private_0x000000a7505b0000" filename = "" Region: id = 2127 start_va = 0xa7507b0000 end_va = 0xa750ca1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a7507b0000" filename = "" Region: id = 2128 start_va = 0xa750cb0000 end_va = 0xa7511a1fff entry_point = 0x0 region_type = private name = "private_0x000000a750cb0000" filename = "" Region: id = 2129 start_va = 0xa7511b0000 end_va = 0xa7516a1fff entry_point = 0x0 region_type = private name = "private_0x000000a7511b0000" filename = "" Region: id = 2130 start_va = 0xa7516b0000 end_va = 0xa751ba1fff entry_point = 0x0 region_type = private name = "private_0x000000a7516b0000" filename = "" Region: id = 2131 start_va = 0xa751bb0000 end_va = 0xa7520a1fff entry_point = 0x0 region_type = private name = "private_0x000000a751bb0000" filename = "" Region: id = 2135 start_va = 0xa750cb0000 end_va = 0xa750d2ffff entry_point = 0x0 region_type = private name = "private_0x000000a750cb0000" filename = "" Region: id = 2136 start_va = 0xa750d30000 end_va = 0xa751221fff entry_point = 0x0 region_type = private name = "private_0x000000a750d30000" filename = "" Region: id = 2137 start_va = 0x7ff7a81d8000 end_va = 0x7ff7a81d9fff entry_point = 0x0 region_type = private name = "private_0x00007ff7a81d8000" filename = "" Region: id = 2140 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2175 start_va = 0xa751230000 end_va = 0xa751230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a751230000" filename = "" Region: id = 2176 start_va = 0xa751240000 end_va = 0xa751240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a751240000" filename = "" Region: id = 2177 start_va = 0xa751250000 end_va = 0xa751250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a751250000" filename = "" Region: id = 2186 start_va = 0xa751260000 end_va = 0xa751260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a751260000" filename = "" Region: id = 2187 start_va = 0xa751270000 end_va = 0xa751270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000a751270000" filename = "" Thread: id = 161 os_tid = 0x29c Thread: id = 168 os_tid = 0x2bc Thread: id = 169 os_tid = 0x2c0 Thread: id = 170 os_tid = 0x2c4 Thread: id = 171 os_tid = 0x2c8 Thread: id = 172 os_tid = 0x2cc Thread: id = 181 os_tid = 0x2f4 Thread: id = 182 os_tid = 0x2f8 Thread: id = 187 os_tid = 0x30c Thread: id = 201 os_tid = 0x344 Process: id = "25" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6280000" os_pid = "0x2a8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a48a" [0xc000000f], "LOCAL" [0x7] Region: id = 1770 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1771 start_va = 0xe086690000 end_va = 0xe0866affff entry_point = 0x0 region_type = private name = "private_0x000000e086690000" filename = "" Region: id = 1772 start_va = 0xe0866b0000 end_va = 0xe0866befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e0866b0000" filename = "" Region: id = 1773 start_va = 0xe0866c0000 end_va = 0xe08673ffff entry_point = 0x0 region_type = private name = "private_0x000000e0866c0000" filename = "" Region: id = 1774 start_va = 0xe086740000 end_va = 0xe086743fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086740000" filename = "" Region: id = 1775 start_va = 0x7ff606ad0000 end_va = 0x7ff606af2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606ad0000" filename = "" Region: id = 1776 start_va = 0x7ff606af9000 end_va = 0x7ff606af9fff entry_point = 0x0 region_type = private name = "private_0x00007ff606af9000" filename = "" Region: id = 1777 start_va = 0x7ff606afe000 end_va = 0x7ff606afffff entry_point = 0x0 region_type = private name = "private_0x00007ff606afe000" filename = "" Region: id = 1778 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1779 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1780 start_va = 0xe086750000 end_va = 0xe086750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086750000" filename = "" Region: id = 1781 start_va = 0xe086760000 end_va = 0xe086761fff entry_point = 0x0 region_type = private name = "private_0x000000e086760000" filename = "" Region: id = 1782 start_va = 0xe086910000 end_va = 0xe086a0ffff entry_point = 0x0 region_type = private name = "private_0x000000e086910000" filename = "" Region: id = 1783 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1784 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1785 start_va = 0xe086690000 end_va = 0xe08669ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086690000" filename = "" Region: id = 1786 start_va = 0x7ff6069d0000 end_va = 0x7ff606acffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6069d0000" filename = "" Region: id = 1787 start_va = 0xe086770000 end_va = 0xe0867edfff entry_point = 0xe086770000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1788 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1789 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1790 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1791 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1792 start_va = 0xe086a10000 end_va = 0xe086b3ffff entry_point = 0x0 region_type = private name = "private_0x000000e086a10000" filename = "" Region: id = 1793 start_va = 0xe0866a0000 end_va = 0xe0866a6fff entry_point = 0x0 region_type = private name = "private_0x000000e0866a0000" filename = "" Region: id = 1794 start_va = 0xe0867f0000 end_va = 0xe0868a7fff entry_point = 0xe0867f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1795 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1798 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1799 start_va = 0xe0867f0000 end_va = 0xe0867f6fff entry_point = 0x0 region_type = private name = "private_0x000000e0867f0000" filename = "" Region: id = 1800 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1801 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1802 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1803 start_va = 0xe086800000 end_va = 0xe0868bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086800000" filename = "" Region: id = 1804 start_va = 0xe086b40000 end_va = 0xe086cc7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086b40000" filename = "" Region: id = 1805 start_va = 0xe086cd0000 end_va = 0xe086e50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086cd0000" filename = "" Region: id = 1806 start_va = 0xe0868c0000 end_va = 0xe0868c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e0868c0000" filename = "" Region: id = 1807 start_va = 0xe0868d0000 end_va = 0xe0868d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e0868d0000" filename = "" Region: id = 1808 start_va = 0xe0868e0000 end_va = 0xe0868e0fff entry_point = 0x0 region_type = private name = "private_0x000000e0868e0000" filename = "" Region: id = 1809 start_va = 0xe0868f0000 end_va = 0xe0868f0fff entry_point = 0x0 region_type = private name = "private_0x000000e0868f0000" filename = "" Region: id = 1810 start_va = 0xe086e60000 end_va = 0xe08725bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086e60000" filename = "" Region: id = 1819 start_va = 0xe086a10000 end_va = 0xe086a8ffff entry_point = 0x0 region_type = private name = "private_0x000000e086a10000" filename = "" Region: id = 1820 start_va = 0xe086a90000 end_va = 0xe086b0ffff entry_point = 0x0 region_type = private name = "private_0x000000e086a90000" filename = "" Region: id = 1821 start_va = 0xe086b30000 end_va = 0xe086b3ffff entry_point = 0x0 region_type = private name = "private_0x000000e086b30000" filename = "" Region: id = 1822 start_va = 0x7ff606afa000 end_va = 0x7ff606afbfff entry_point = 0x0 region_type = private name = "private_0x00007ff606afa000" filename = "" Region: id = 1823 start_va = 0x7ff606afc000 end_va = 0x7ff606afdfff entry_point = 0x0 region_type = private name = "private_0x00007ff606afc000" filename = "" Region: id = 1824 start_va = 0xe087260000 end_va = 0xe087534fff entry_point = 0xe087260000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1825 start_va = 0x7ff9fab60000 end_va = 0x7ff9facfafff entry_point = 0x7ff9fab60000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 1851 start_va = 0xe087540000 end_va = 0xe087637fff entry_point = 0x0 region_type = private name = "private_0x000000e087540000" filename = "" Region: id = 1852 start_va = 0xe086900000 end_va = 0xe086906fff entry_point = 0x0 region_type = private name = "private_0x000000e086900000" filename = "" Region: id = 1853 start_va = 0xe087640000 end_va = 0xe08773ffff entry_point = 0x0 region_type = private name = "private_0x000000e087640000" filename = "" Region: id = 1863 start_va = 0xe086b10000 end_va = 0xe086b11fff entry_point = 0xe086b10000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1864 start_va = 0xe086b20000 end_va = 0xe086b27fff entry_point = 0xe086b20000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1865 start_va = 0xe086b10000 end_va = 0xe086b11fff entry_point = 0xe086b10000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1866 start_va = 0xe086b20000 end_va = 0xe086b27fff entry_point = 0xe086b20000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1867 start_va = 0xe087540000 end_va = 0xe0875bffff entry_point = 0x0 region_type = private name = "private_0x000000e087540000" filename = "" Region: id = 1868 start_va = 0xe087630000 end_va = 0xe087637fff entry_point = 0x0 region_type = private name = "private_0x000000e087630000" filename = "" Region: id = 1869 start_va = 0x7ff606af7000 end_va = 0x7ff606af8fff entry_point = 0x0 region_type = private name = "private_0x00007ff606af7000" filename = "" Region: id = 1870 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1871 start_va = 0xe087740000 end_va = 0xe0877bffff entry_point = 0x0 region_type = private name = "private_0x000000e087740000" filename = "" Region: id = 1872 start_va = 0x7ff606af5000 end_va = 0x7ff606af6fff entry_point = 0x0 region_type = private name = "private_0x00007ff606af5000" filename = "" Region: id = 1879 start_va = 0xe0875c0000 end_va = 0xe087626fff entry_point = 0xe0875c0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1880 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1881 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1882 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1883 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1884 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1885 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1886 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1887 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1888 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1889 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1890 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1903 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1904 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1905 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1953 start_va = 0x7ff9fba70000 end_va = 0x7ff9fba92fff entry_point = 0x7ff9fba70000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1982 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1983 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1984 start_va = 0xe0877c0000 end_va = 0xe08783ffff entry_point = 0x0 region_type = private name = "private_0x000000e0877c0000" filename = "" Region: id = 1985 start_va = 0x7ff606af3000 end_va = 0x7ff606af4fff entry_point = 0x0 region_type = private name = "private_0x00007ff606af3000" filename = "" Region: id = 1986 start_va = 0xe087840000 end_va = 0xe0878bffff entry_point = 0x0 region_type = private name = "private_0x000000e087840000" filename = "" Region: id = 1987 start_va = 0xe0878c0000 end_va = 0xe08793ffff entry_point = 0x0 region_type = private name = "private_0x000000e0878c0000" filename = "" Region: id = 1988 start_va = 0xe086b10000 end_va = 0xe086b10fff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1989 start_va = 0xe086b10000 end_va = 0xe086b2ffff entry_point = 0x0 region_type = private name = "private_0x000000e086b10000" filename = "" Region: id = 1992 start_va = 0x7ff6069cc000 end_va = 0x7ff6069cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6069cc000" filename = "" Region: id = 1993 start_va = 0x7ff6069ce000 end_va = 0x7ff6069cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6069ce000" filename = "" Region: id = 1994 start_va = 0xe087940000 end_va = 0xe087940fff entry_point = 0x0 region_type = private name = "private_0x000000e087940000" filename = "" Region: id = 1995 start_va = 0xe087940000 end_va = 0xe08795ffff entry_point = 0x0 region_type = private name = "private_0x000000e087940000" filename = "" Region: id = 1996 start_va = 0x7ff9f9dc0000 end_va = 0x7ff9f9deffff entry_point = 0x7ff9f9dc0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2008 start_va = 0xe087960000 end_va = 0xe08799cfff entry_point = 0xe087960000 region_type = mapped_file name = "microsoft-windows-system-events.dll" filename = "\\Windows\\System32\\microsoft-windows-system-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-system-events.dll") Region: id = 2009 start_va = 0xe087960000 end_va = 0xe087a13fff entry_point = 0xe087960000 region_type = mapped_file name = "lsm.dll" filename = "\\Windows\\System32\\lsm.dll" (normalized: "c:\\windows\\system32\\lsm.dll") Region: id = 2017 start_va = 0xe087960000 end_va = 0xe08799cfff entry_point = 0xe087960000 region_type = mapped_file name = "microsoft-windows-system-events.dll" filename = "\\Windows\\System32\\microsoft-windows-system-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-system-events.dll") Region: id = 2018 start_va = 0xe0879a0000 end_va = 0xe0879a0fff entry_point = 0x0 region_type = private name = "private_0x000000e0879a0000" filename = "" Region: id = 2019 start_va = 0xe0879a0000 end_va = 0xe087a1ffff entry_point = 0x0 region_type = private name = "private_0x000000e0879a0000" filename = "" Region: id = 2020 start_va = 0x7ff6069ca000 end_va = 0x7ff6069cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6069ca000" filename = "" Region: id = 2025 start_va = 0xe087a20000 end_va = 0xe087a20fff entry_point = 0x0 region_type = private name = "private_0x000000e087a20000" filename = "" Region: id = 2026 start_va = 0xe087a20000 end_va = 0xe087a3ffff entry_point = 0x0 region_type = private name = "private_0x000000e087a20000" filename = "" Region: id = 2121 start_va = 0xe087a40000 end_va = 0xe087abffff entry_point = 0x0 region_type = private name = "private_0x000000e087a40000" filename = "" Region: id = 2122 start_va = 0x7ff6069c8000 end_va = 0x7ff6069c9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069c8000" filename = "" Region: id = 2141 start_va = 0xe087960000 end_va = 0xe08799cfff entry_point = 0xe087960000 region_type = mapped_file name = "microsoft-windows-system-events.dll" filename = "\\Windows\\System32\\microsoft-windows-system-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-system-events.dll") Region: id = 2142 start_va = 0xe087ac0000 end_va = 0xe087ac0fff entry_point = 0x0 region_type = private name = "private_0x000000e087ac0000" filename = "" Region: id = 2143 start_va = 0xe087ac0000 end_va = 0xe087b3ffff entry_point = 0x0 region_type = private name = "private_0x000000e087ac0000" filename = "" Region: id = 2144 start_va = 0xe087b40000 end_va = 0xe087b40fff entry_point = 0x0 region_type = private name = "private_0x000000e087b40000" filename = "" Region: id = 2145 start_va = 0x7ff6069c6000 end_va = 0x7ff6069c7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069c6000" filename = "" Region: id = 2146 start_va = 0xe087b40000 end_va = 0xe087b5ffff entry_point = 0x0 region_type = private name = "private_0x000000e087b40000" filename = "" Region: id = 2149 start_va = 0xe087b60000 end_va = 0xe087c9dfff entry_point = 0xe087b60000 region_type = mapped_file name = "comres.dll" filename = "\\Windows\\System32\\comres.dll" (normalized: "c:\\windows\\system32\\comres.dll") Region: id = 2150 start_va = 0x6690000 end_va = 0x66ebfff entry_point = 0x6690000 region_type = mapped_file name = "fltmgr.sys" filename = "\\Windows\\System32\\drivers\\fltMgr.sys" (normalized: "c:\\windows\\system32\\drivers\\fltmgr.sys") Region: id = 2151 start_va = 0xe087ca0000 end_va = 0xe087d9ffff entry_point = 0x0 region_type = private name = "private_0x000000e087ca0000" filename = "" Region: id = 2158 start_va = 0xe087b60000 end_va = 0xe087c13fff entry_point = 0xe087b60000 region_type = mapped_file name = "adtschema.dll" filename = "\\Windows\\System32\\adtschema.dll" (normalized: "c:\\windows\\system32\\adtschema.dll") Region: id = 2163 start_va = 0x6690000 end_va = 0x6885fff entry_point = 0x6690000 region_type = mapped_file name = "ntfs.sys" filename = "\\Windows\\System32\\drivers\\ntfs.sys" (normalized: "c:\\windows\\system32\\drivers\\ntfs.sys") Region: id = 2180 start_va = 0xe086a90000 end_va = 0xe086aa4fff entry_point = 0xe086a90000 region_type = mapped_file name = "pshed.dll" filename = "\\Windows\\System32\\PSHED.DLL" (normalized: "c:\\windows\\system32\\pshed.dll") Region: id = 2190 start_va = 0xe086a90000 end_va = 0xe086ab0fff entry_point = 0xe086a90000 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 2208 start_va = 0xe086a90000 end_va = 0xe086aa0fff entry_point = 0xe086a90000 region_type = mapped_file name = "microsoft-windows-kernel-processor-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-processor-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-processor-power-events.dll") Region: id = 2209 start_va = 0xe087da0000 end_va = 0xe087f9ffff entry_point = 0x0 region_type = private name = "private_0x000000e087da0000" filename = "" Region: id = 2223 start_va = 0xe087fa0000 end_va = 0xe0880e6fff entry_point = 0xe087fa0000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 2275 start_va = 0xe086a90000 end_va = 0xe086ac9fff entry_point = 0xe086a90000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 2320 start_va = 0xe086a90000 end_va = 0xe086b0ffff entry_point = 0x0 region_type = private name = "private_0x000000e086a90000" filename = "" Region: id = 2321 start_va = 0x7ff606afa000 end_va = 0x7ff606afbfff entry_point = 0x0 region_type = private name = "private_0x00007ff606afa000" filename = "" Region: id = 2322 start_va = 0x7ff9f8a10000 end_va = 0x7ff9f8ae2fff entry_point = 0x7ff9f8a10000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2324 start_va = 0x7ff9f9120000 end_va = 0x7ff9f9127fff entry_point = 0x7ff9f9120000 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 2325 start_va = 0x7ff9fd190000 end_va = 0x7ff9fd246fff entry_point = 0x7ff9fd190000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2326 start_va = 0x7ff9fbaa0000 end_va = 0x7ff9fbaacfff entry_point = 0x7ff9fbaa0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 2327 start_va = 0x7ff9f9e20000 end_va = 0x7ff9f9e81fff entry_point = 0x7ff9f9e20000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2328 start_va = 0x7ff9fa540000 end_va = 0x7ff9fa54afff entry_point = 0x7ff9fa540000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2329 start_va = 0x7ff9fb6f0000 end_va = 0x7ff9fb715fff entry_point = 0x7ff9fb6f0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2330 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2331 start_va = 0xe087fa0000 end_va = 0xe088118fff entry_point = 0xe087fa0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2336 start_va = 0xe086a90000 end_va = 0xe086a90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086a90000" filename = "" Region: id = 2337 start_va = 0xe087b60000 end_va = 0xe087bdffff entry_point = 0x0 region_type = private name = "private_0x000000e087b60000" filename = "" Region: id = 2338 start_va = 0x7ff6069c4000 end_va = 0x7ff6069c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069c4000" filename = "" Region: id = 2339 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2340 start_va = 0xe086aa0000 end_va = 0xe086aa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086aa0000" filename = "" Region: id = 2341 start_va = 0xe087be0000 end_va = 0xe087c5ffff entry_point = 0x0 region_type = private name = "private_0x000000e087be0000" filename = "" Region: id = 2342 start_va = 0x7ff606afa000 end_va = 0x7ff606afbfff entry_point = 0x0 region_type = private name = "private_0x00007ff606afa000" filename = "" Region: id = 2343 start_va = 0xe086ab0000 end_va = 0xe086ab0fff entry_point = 0x0 region_type = private name = "private_0x000000e086ab0000" filename = "" Region: id = 2344 start_va = 0xe086ac0000 end_va = 0xe086ac0fff entry_point = 0x0 region_type = private name = "private_0x000000e086ac0000" filename = "" Region: id = 2345 start_va = 0xe086ad0000 end_va = 0xe086ad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e086ad0000" filename = "" Region: id = 2346 start_va = 0xe087fa0000 end_va = 0xe08801ffff entry_point = 0x0 region_type = private name = "private_0x000000e087fa0000" filename = "" Region: id = 2347 start_va = 0x7ff6069c2000 end_va = 0x7ff6069c3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069c2000" filename = "" Region: id = 2348 start_va = 0x7ff9fc790000 end_va = 0x7ff9fc7e6fff entry_point = 0x7ff9fc790000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2350 start_va = 0x7ff9f8c60000 end_va = 0x7ff9f8c70fff entry_point = 0x7ff9f8c60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2397 start_va = 0xe088020000 end_va = 0xe08809ffff entry_point = 0x0 region_type = private name = "private_0x000000e088020000" filename = "" Region: id = 2398 start_va = 0xe0880a0000 end_va = 0xe08811ffff entry_point = 0x0 region_type = private name = "private_0x000000e0880a0000" filename = "" Region: id = 2399 start_va = 0x7ff6069be000 end_va = 0x7ff6069bffff entry_point = 0x0 region_type = private name = "private_0x00007ff6069be000" filename = "" Region: id = 2400 start_va = 0x7ff6069c0000 end_va = 0x7ff6069c1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069c0000" filename = "" Region: id = 2401 start_va = 0x7ff9f89e0000 end_va = 0x7ff9f89e9fff entry_point = 0x7ff9f89e0000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 2417 start_va = 0x7ff9f8890000 end_va = 0x7ff9f88b8fff entry_point = 0x7ff9f8890000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2422 start_va = 0x7ff9f8880000 end_va = 0x7ff9f8888fff entry_point = 0x7ff9f8880000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 2426 start_va = 0x7ff9f8870000 end_va = 0x7ff9f8879fff entry_point = 0x7ff9f8870000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2429 start_va = 0x7ff9f8910000 end_va = 0x7ff9f896afff entry_point = 0x7ff9f8910000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 2431 start_va = 0xe088120000 end_va = 0xe08819ffff entry_point = 0x0 region_type = private name = "private_0x000000e088120000" filename = "" Region: id = 2432 start_va = 0x7ff6069bc000 end_va = 0x7ff6069bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6069bc000" filename = "" Region: id = 2433 start_va = 0x7ff9fbee0000 end_va = 0x7ff9fbf82fff entry_point = 0x7ff9fbee0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2435 start_va = 0x7ff9f8970000 end_va = 0x7ff9f89cdfff entry_point = 0x7ff9f8970000 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 2449 start_va = 0x7ff9fb7a0000 end_va = 0x7ff9fb855fff entry_point = 0x7ff9fb7a0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2451 start_va = 0x7ff9f8780000 end_va = 0x7ff9f87c6fff entry_point = 0x7ff9f8780000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 2456 start_va = 0x7ff9f8760000 end_va = 0x7ff9f877dfff entry_point = 0x7ff9f8760000 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 2459 start_va = 0x7ff9fd360000 end_va = 0x7ff9fd4d7fff entry_point = 0x7ff9fd360000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2462 start_va = 0x7ff9f8730000 end_va = 0x7ff9f873dfff entry_point = 0x7ff9f8730000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 2463 start_va = 0xe0881a0000 end_va = 0xe08821ffff entry_point = 0x0 region_type = private name = "private_0x000000e0881a0000" filename = "" Region: id = 2464 start_va = 0x7ff6069ba000 end_va = 0x7ff6069bbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6069ba000" filename = "" Region: id = 2465 start_va = 0xe088220000 end_va = 0xe08829ffff entry_point = 0x0 region_type = private name = "private_0x000000e088220000" filename = "" Region: id = 2466 start_va = 0x7ff6069b8000 end_va = 0x7ff6069b9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069b8000" filename = "" Region: id = 2467 start_va = 0x7ff9f9ce0000 end_va = 0x7ff9f9cf8fff entry_point = 0x7ff9f9ce0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2468 start_va = 0x7ff9fc150000 end_va = 0x7ff9fc23afff entry_point = 0x7ff9fc150000 region_type = mapped_file name = "kerberos.dll" filename = "\\Windows\\System32\\kerberos.dll" (normalized: "c:\\windows\\system32\\kerberos.dll") Region: id = 2469 start_va = 0x7ff9fc920000 end_va = 0x7ff9fc931fff entry_point = 0x7ff9fc920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2470 start_va = 0x7ff9fc240000 end_va = 0x7ff9fc257fff entry_point = 0x7ff9fc240000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 2471 start_va = 0xe086ae0000 end_va = 0xe086ae0fff entry_point = 0x0 region_type = private name = "private_0x000000e086ae0000" filename = "" Region: id = 2473 start_va = 0xe088020000 end_va = 0xe08809ffff entry_point = 0x0 region_type = private name = "private_0x000000e088020000" filename = "" Region: id = 2474 start_va = 0xe0882a0000 end_va = 0xe08831ffff entry_point = 0x0 region_type = private name = "private_0x000000e0882a0000" filename = "" Region: id = 2475 start_va = 0x7ff6069b6000 end_va = 0x7ff6069b7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069b6000" filename = "" Region: id = 2476 start_va = 0x7ff6069c0000 end_va = 0x7ff6069c1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069c0000" filename = "" Region: id = 2477 start_va = 0x7ff9f87d0000 end_va = 0x7ff9f87e3fff entry_point = 0x7ff9f87d0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2478 start_va = 0x7ff9f8740000 end_va = 0x7ff9f8758fff entry_point = 0x7ff9f8740000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2484 start_va = 0xe086ae0000 end_va = 0xe086ae0fff entry_point = 0x0 region_type = private name = "private_0x000000e086ae0000" filename = "" Region: id = 2485 start_va = 0xe088320000 end_va = 0xe08839ffff entry_point = 0x0 region_type = private name = "private_0x000000e088320000" filename = "" Region: id = 2486 start_va = 0x7ff6069b4000 end_va = 0x7ff6069b5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6069b4000" filename = "" Region: id = 2775 start_va = 0xe088320000 end_va = 0xe08871ffff entry_point = 0x0 region_type = private name = "private_0x000000e088320000" filename = "" Region: id = 2804 start_va = 0xe088720000 end_va = 0xe08881ffff entry_point = 0x0 region_type = private name = "private_0x000000e088720000" filename = "" Region: id = 2917 start_va = 0x6690000 end_va = 0x66fcfff entry_point = 0x6690000 region_type = mapped_file name = "mrxsmb.sys" filename = "\\Windows\\System32\\drivers\\mrxsmb.sys" (normalized: "c:\\windows\\system32\\drivers\\mrxsmb.sys") Thread: id = 164 os_tid = 0x2ac Thread: id = 166 os_tid = 0x2b4 Thread: id = 167 os_tid = 0x2b8 Thread: id = 173 os_tid = 0x2d0 Thread: id = 174 os_tid = 0x2d4 Thread: id = 184 os_tid = 0x300 Thread: id = 185 os_tid = 0x308 Thread: id = 186 os_tid = 0x304 Thread: id = 188 os_tid = 0x310 Thread: id = 202 os_tid = 0x33c Thread: id = 203 os_tid = 0x348 Thread: id = 224 os_tid = 0x3a0 Thread: id = 225 os_tid = 0x3a4 Thread: id = 226 os_tid = 0x3a8 Thread: id = 227 os_tid = 0x3ac Thread: id = 229 os_tid = 0x3b4 Thread: id = 231 os_tid = 0x3bc Thread: id = 232 os_tid = 0x3c0 Thread: id = 236 os_tid = 0x3d4 Thread: id = 244 os_tid = 0x3f4 Thread: id = 245 os_tid = 0x3f8 Thread: id = 246 os_tid = 0x3fc Thread: id = 247 os_tid = 0xd8 Thread: id = 248 os_tid = 0xdc Thread: id = 250 os_tid = 0xf8 Thread: id = 257 os_tid = 0x120 Process: id = "26" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x69d0000" os_pid = "0x2dc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\MsKeyboardFilter" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a8e2" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1891 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1892 start_va = 0x96dda10000 end_va = 0x96dda2ffff entry_point = 0x0 region_type = private name = "private_0x00000096dda10000" filename = "" Region: id = 1893 start_va = 0x96dda30000 end_va = 0x96dda3efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096dda30000" filename = "" Region: id = 1894 start_va = 0x96dda40000 end_va = 0x96ddabffff entry_point = 0x0 region_type = private name = "private_0x00000096dda40000" filename = "" Region: id = 1895 start_va = 0x96ddac0000 end_va = 0x96ddac3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096ddac0000" filename = "" Region: id = 1896 start_va = 0x7ff606160000 end_va = 0x7ff606182fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606160000" filename = "" Region: id = 1897 start_va = 0x7ff60618a000 end_va = 0x7ff60618afff entry_point = 0x0 region_type = private name = "private_0x00007ff60618a000" filename = "" Region: id = 1898 start_va = 0x7ff60618e000 end_va = 0x7ff60618ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60618e000" filename = "" Region: id = 1899 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1900 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1901 start_va = 0x96ddad0000 end_va = 0x96ddad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096ddad0000" filename = "" Region: id = 1902 start_va = 0x96ddae0000 end_va = 0x96ddae1fff entry_point = 0x0 region_type = private name = "private_0x00000096ddae0000" filename = "" Region: id = 1906 start_va = 0x96ddbf0000 end_va = 0x96ddceffff entry_point = 0x0 region_type = private name = "private_0x00000096ddbf0000" filename = "" Region: id = 1907 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1908 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1909 start_va = 0x96dda10000 end_va = 0x96dda1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096dda10000" filename = "" Region: id = 1910 start_va = 0x7ff606060000 end_va = 0x7ff60615ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606060000" filename = "" Region: id = 1911 start_va = 0x96ddaf0000 end_va = 0x96ddb6dfff entry_point = 0x96ddaf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1912 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1913 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1914 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1915 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1916 start_va = 0x96ddb70000 end_va = 0x96ddbcffff entry_point = 0x0 region_type = private name = "private_0x00000096ddb70000" filename = "" Region: id = 1917 start_va = 0x96dda20000 end_va = 0x96dda26fff entry_point = 0x0 region_type = private name = "private_0x00000096dda20000" filename = "" Region: id = 1918 start_va = 0x96ddcf0000 end_va = 0x96ddda7fff entry_point = 0x96ddcf0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1919 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1920 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1921 start_va = 0x96ddb70000 end_va = 0x96ddb76fff entry_point = 0x0 region_type = private name = "private_0x00000096ddb70000" filename = "" Region: id = 1922 start_va = 0x96ddbc0000 end_va = 0x96ddbcffff entry_point = 0x0 region_type = private name = "private_0x00000096ddbc0000" filename = "" Region: id = 1923 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1924 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1925 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1926 start_va = 0x96ddcf0000 end_va = 0x96dde77fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096ddcf0000" filename = "" Region: id = 1927 start_va = 0x96dde80000 end_va = 0x96de000fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096dde80000" filename = "" Region: id = 1928 start_va = 0x96de010000 end_va = 0x96de0cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096de010000" filename = "" Region: id = 1929 start_va = 0x96ddb80000 end_va = 0x96ddb82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096ddb80000" filename = "" Region: id = 1930 start_va = 0x96ddb90000 end_va = 0x96ddb90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096ddb90000" filename = "" Region: id = 1931 start_va = 0x96ddba0000 end_va = 0x96ddba0fff entry_point = 0x0 region_type = private name = "private_0x00000096ddba0000" filename = "" Region: id = 1932 start_va = 0x96ddbb0000 end_va = 0x96ddbb0fff entry_point = 0x0 region_type = private name = "private_0x00000096ddbb0000" filename = "" Region: id = 1933 start_va = 0x96de0d0000 end_va = 0x96de4cbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096de0d0000" filename = "" Region: id = 1934 start_va = 0x96de4d0000 end_va = 0x96de54ffff entry_point = 0x0 region_type = private name = "private_0x00000096de4d0000" filename = "" Region: id = 1935 start_va = 0x96de550000 end_va = 0x96de5cffff entry_point = 0x0 region_type = private name = "private_0x00000096de550000" filename = "" Region: id = 1936 start_va = 0x96de5d0000 end_va = 0x96de8a4fff entry_point = 0x96de5d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1937 start_va = 0x7ff606188000 end_va = 0x7ff606189fff entry_point = 0x0 region_type = private name = "private_0x00007ff606188000" filename = "" Region: id = 1938 start_va = 0x7ff60618c000 end_va = 0x7ff60618dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60618c000" filename = "" Region: id = 1939 start_va = 0x96de8b0000 end_va = 0x96de92ffff entry_point = 0x0 region_type = private name = "private_0x00000096de8b0000" filename = "" Region: id = 1940 start_va = 0x7ff606186000 end_va = 0x7ff606187fff entry_point = 0x0 region_type = private name = "private_0x00007ff606186000" filename = "" Region: id = 1941 start_va = 0x96de930000 end_va = 0x96de9affff entry_point = 0x0 region_type = private name = "private_0x00000096de930000" filename = "" Region: id = 1942 start_va = 0x7ff606184000 end_va = 0x7ff606185fff entry_point = 0x0 region_type = private name = "private_0x00007ff606184000" filename = "" Region: id = 1948 start_va = 0x7ff9fa380000 end_va = 0x7ff9fa390fff entry_point = 0x7ff9fa380000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1961 start_va = 0x7ff9f9fa0000 end_va = 0x7ff9f9fd9fff entry_point = 0x7ff9f9fa0000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1964 start_va = 0x7ff9fbe80000 end_va = 0x7ff9fbe9efff entry_point = 0x7ff9fbe80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1965 start_va = 0x7ff9fd190000 end_va = 0x7ff9fd246fff entry_point = 0x7ff9fd190000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1966 start_va = 0x7ff9fb790000 end_va = 0x7ff9fb79afff entry_point = 0x7ff9fb790000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1967 start_va = 0x7ff9fc870000 end_va = 0x7ff9fc883fff entry_point = 0x7ff9fc870000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1975 start_va = 0x96de9b0000 end_va = 0x96deb28fff entry_point = 0x96de9b0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1980 start_va = 0x7ff9f9fe0000 end_va = 0x7ff9fa126fff entry_point = 0x7ff9f9fe0000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1981 start_va = 0x96de9b0000 end_va = 0x96deb7ffff entry_point = 0x0 region_type = private name = "private_0x00000096de9b0000" filename = "" Region: id = 2010 start_va = 0x7ff9fc480000 end_va = 0x7ff9fc4a4fff entry_point = 0x7ff9fc480000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2011 start_va = 0x7ff9fdcd0000 end_va = 0x7ff9fdd29fff entry_point = 0x7ff9fdcd0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2014 start_va = 0x7ff9fba70000 end_va = 0x7ff9fba92fff entry_point = 0x7ff9fba70000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2015 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2016 start_va = 0x7ff9fa450000 end_va = 0x7ff9fa4b6fff entry_point = 0x7ff9fa450000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2027 start_va = 0x7ff9f9ce0000 end_va = 0x7ff9f9cf8fff entry_point = 0x7ff9f9ce0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2043 start_va = 0x7ff9f97e0000 end_va = 0x7ff9f9803fff entry_point = 0x7ff9f97e0000 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 2086 start_va = 0x7ff9f95d0000 end_va = 0x7ff9f95f7fff entry_point = 0x7ff9f95d0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2090 start_va = 0x7ff9f9570000 end_va = 0x7ff9f9584fff entry_point = 0x7ff9f9570000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2091 start_va = 0x7ff9fe050000 end_va = 0x7ff9ff466fff entry_point = 0x7ff9fe050000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2097 start_va = 0x7ff9f9350000 end_va = 0x7ff9f936afff entry_point = 0x7ff9f9350000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2098 start_va = 0x7ff9ff4a0000 end_va = 0x7ff9ff4f0fff entry_point = 0x7ff9ff4a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2110 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2111 start_va = 0x7ff9fbb20000 end_va = 0x7ff9fbb2bfff entry_point = 0x7ff9fbb20000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2123 start_va = 0x96de9b0000 end_va = 0x96dea2ffff entry_point = 0x0 region_type = private name = "private_0x00000096de9b0000" filename = "" Region: id = 2124 start_va = 0x96deb70000 end_va = 0x96deb7ffff entry_point = 0x0 region_type = private name = "private_0x00000096deb70000" filename = "" Region: id = 2125 start_va = 0x7ff60605e000 end_va = 0x7ff60605ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60605e000" filename = "" Region: id = 2126 start_va = 0x7ff9f9330000 end_va = 0x7ff9f9345fff entry_point = 0x7ff9f9330000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2152 start_va = 0x7ff9fbea0000 end_va = 0x7ff9fbedcfff entry_point = 0x7ff9fbea0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 2191 start_va = 0x7ff9fc790000 end_va = 0x7ff9fc7e6fff entry_point = 0x7ff9fc790000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2196 start_va = 0x7ff9f9d20000 end_va = 0x7ff9f9d28fff entry_point = 0x7ff9f9d20000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 2197 start_va = 0x96dea30000 end_va = 0x96deaaffff entry_point = 0x0 region_type = private name = "private_0x00000096dea30000" filename = "" Region: id = 2198 start_va = 0x7ff60605c000 end_va = 0x7ff60605dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60605c000" filename = "" Region: id = 2199 start_va = 0x96ddbd0000 end_va = 0x96ddbd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096ddbd0000" filename = "" Region: id = 2200 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2201 start_va = 0x7ff9fc130000 end_va = 0x7ff9fc14dfff entry_point = 0x7ff9fc130000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2202 start_va = 0x7ff9fbd70000 end_va = 0x7ff9fbda4fff entry_point = 0x7ff9fbd70000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2203 start_va = 0x7ff9fc360000 end_va = 0x7ff9fc385fff entry_point = 0x7ff9fc360000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2204 start_va = 0x96deab0000 end_va = 0x96deb2ffff entry_point = 0x0 region_type = private name = "private_0x00000096deab0000" filename = "" Region: id = 2205 start_va = 0x7ff60605a000 end_va = 0x7ff60605bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60605a000" filename = "" Region: id = 2206 start_va = 0x7ff9f9000000 end_va = 0x7ff9f9016fff entry_point = 0x7ff9f9000000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 2210 start_va = 0x96ddbe0000 end_va = 0x96ddbe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096ddbe0000" filename = "" Region: id = 2258 start_va = 0x96de550000 end_va = 0x96de550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096de550000" filename = "" Region: id = 2259 start_va = 0x96dea30000 end_va = 0x96deaaffff entry_point = 0x0 region_type = private name = "private_0x00000096dea30000" filename = "" Region: id = 2260 start_va = 0x7ff60605c000 end_va = 0x7ff60605dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60605c000" filename = "" Region: id = 2263 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000096de560000" filename = "" Region: id = 2269 start_va = 0x96deb80000 end_va = 0x96debfffff entry_point = 0x0 region_type = private name = "private_0x00000096deb80000" filename = "" Region: id = 2270 start_va = 0x7ff606188000 end_va = 0x7ff606189fff entry_point = 0x0 region_type = private name = "private_0x00007ff606188000" filename = "" Region: id = 2273 start_va = 0x7ff9f8c80000 end_va = 0x7ff9f8e1cfff entry_point = 0x7ff9f8c80000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2283 start_va = 0x7ff9f8e20000 end_va = 0x7ff9f8e45fff entry_point = 0x7ff9f8e20000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 2284 start_va = 0x7ff9fa540000 end_va = 0x7ff9fa54afff entry_point = 0x7ff9fa540000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2353 start_va = 0x96dec00000 end_va = 0x96dec7ffff entry_point = 0x0 region_type = private name = "private_0x00000096dec00000" filename = "" Region: id = 2354 start_va = 0x7ff606058000 end_va = 0x7ff606059fff entry_point = 0x0 region_type = private name = "private_0x00007ff606058000" filename = "" Region: id = 2355 start_va = 0x7ff9f89f0000 end_va = 0x7ff9f8a0dfff entry_point = 0x7ff9f89f0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2359 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2479 start_va = 0x96dec80000 end_va = 0x96decfffff entry_point = 0x0 region_type = private name = "private_0x00000096dec80000" filename = "" Region: id = 2480 start_va = 0x7ff606056000 end_va = 0x7ff606057fff entry_point = 0x0 region_type = private name = "private_0x00007ff606056000" filename = "" Region: id = 2483 start_va = 0x7ff9f8690000 end_va = 0x7ff9f872cfff entry_point = 0x7ff9f8690000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 2488 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2489 start_va = 0x7ff9fbaa0000 end_va = 0x7ff9fbaacfff entry_point = 0x7ff9fbaa0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 2492 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2494 start_va = 0x96ded00000 end_va = 0x96ded7ffff entry_point = 0x0 region_type = private name = "private_0x00000096ded00000" filename = "" Region: id = 2495 start_va = 0x7ff606054000 end_va = 0x7ff606055fff entry_point = 0x0 region_type = private name = "private_0x00007ff606054000" filename = "" Region: id = 2496 start_va = 0x7ff9fb6f0000 end_va = 0x7ff9fb715fff entry_point = 0x7ff9fb6f0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2499 start_va = 0x7ff9f84a0000 end_va = 0x7ff9f8553fff entry_point = 0x7ff9f84a0000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 2505 start_va = 0x7ff9f8480000 end_va = 0x7ff9f8499fff entry_point = 0x7ff9f8480000 region_type = mapped_file name = "bcd.dll" filename = "\\Windows\\System32\\bcd.dll" (normalized: "c:\\windows\\system32\\bcd.dll") Region: id = 2506 start_va = 0x7ff9f8470000 end_va = 0x7ff9f847afff entry_point = 0x7ff9f8470000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 2508 start_va = 0x7ff9fcaf0000 end_va = 0x7ff9fccc6fff entry_point = 0x7ff9fcaf0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2511 start_va = 0x7ff9fc920000 end_va = 0x7ff9fc931fff entry_point = 0x7ff9fc920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2513 start_va = 0x7ff9f8560000 end_va = 0x7ff9f868afff entry_point = 0x7ff9f8560000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 2516 start_va = 0x7ff9f8410000 end_va = 0x7ff9f8419fff entry_point = 0x7ff9f8410000 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 2517 start_va = 0x7ff9f8420000 end_va = 0x7ff9f842afff entry_point = 0x7ff9f8420000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 2518 start_va = 0x7ff9f8430000 end_va = 0x7ff9f8464fff entry_point = 0x7ff9f8430000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 2519 start_va = 0x7ff9f9590000 end_va = 0x7ff9f95c7fff entry_point = 0x7ff9f9590000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2520 start_va = 0x7ff9fbab0000 end_va = 0x7ff9fbabdfff entry_point = 0x7ff9fbab0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2521 start_va = 0x7ff9fbb30000 end_va = 0x7ff9fbb77fff entry_point = 0x7ff9fbb30000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 2522 start_va = 0x7ff9fc4b0000 end_va = 0x7ff9fc4bafff entry_point = 0x7ff9fc4b0000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 2523 start_va = 0x7ff9fc4c0000 end_va = 0x7ff9fc4c7fff entry_point = 0x7ff9fc4c0000 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 2526 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2527 start_va = 0x96dee20000 end_va = 0x96dee2ffff entry_point = 0x0 region_type = private name = "private_0x00000096dee20000" filename = "" Region: id = 2528 start_va = 0x96dee30000 end_va = 0x96def2ffff entry_point = 0x0 region_type = private name = "private_0x00000096dee30000" filename = "" Region: id = 2530 start_va = 0x96ded80000 end_va = 0x96dedfffff entry_point = 0x0 region_type = private name = "private_0x00000096ded80000" filename = "" Region: id = 2531 start_va = 0x7ff606052000 end_va = 0x7ff606053fff entry_point = 0x0 region_type = private name = "private_0x00007ff606052000" filename = "" Region: id = 2532 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2533 start_va = 0x7ff9f8730000 end_va = 0x7ff9f873dfff entry_point = 0x7ff9f8730000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 2534 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2535 start_va = 0x7ff9f83c0000 end_va = 0x7ff9f840cfff entry_point = 0x7ff9f83c0000 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 2536 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2537 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2538 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2539 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2540 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2541 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2542 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2543 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2544 start_va = 0x96de560000 end_va = 0x96de560fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2546 start_va = 0x96def30000 end_va = 0x96defaffff entry_point = 0x0 region_type = private name = "private_0x00000096def30000" filename = "" Region: id = 2547 start_va = 0x96defb0000 end_va = 0x96df02ffff entry_point = 0x0 region_type = private name = "private_0x00000096defb0000" filename = "" Region: id = 2548 start_va = 0x7ff60604e000 end_va = 0x7ff60604ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60604e000" filename = "" Region: id = 2549 start_va = 0x7ff606050000 end_va = 0x7ff606051fff entry_point = 0x0 region_type = private name = "private_0x00007ff606050000" filename = "" Region: id = 2550 start_va = 0x96de560000 end_va = 0x96de566fff entry_point = 0x0 region_type = private name = "private_0x00000096de560000" filename = "" Region: id = 2553 start_va = 0x96df030000 end_va = 0x96df0affff entry_point = 0x0 region_type = private name = "private_0x00000096df030000" filename = "" Region: id = 2554 start_va = 0x7ff60604c000 end_va = 0x7ff60604dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60604c000" filename = "" Region: id = 2555 start_va = 0x7ff9f83b0000 end_va = 0x7ff9f83bdfff entry_point = 0x7ff9f83b0000 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 2557 start_va = 0x7ff9f8890000 end_va = 0x7ff9f88b8fff entry_point = 0x7ff9f8890000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2558 start_va = 0x7ff9f8380000 end_va = 0x7ff9f83a9fff entry_point = 0x7ff9f8380000 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 2560 start_va = 0x7ff9f8870000 end_va = 0x7ff9f8879fff entry_point = 0x7ff9f8870000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2561 start_va = 0x7ff9f8370000 end_va = 0x7ff9f8377fff entry_point = 0x7ff9f8370000 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 2562 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2565 start_va = 0x7ff9fb7a0000 end_va = 0x7ff9fb855fff entry_point = 0x7ff9fb7a0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2566 start_va = 0x7ff9f8c60000 end_va = 0x7ff9f8c70fff entry_point = 0x7ff9f8c60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2568 start_va = 0x7ff9f82f0000 end_va = 0x7ff9f836bfff entry_point = 0x7ff9f82f0000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 2572 start_va = 0x7ff9f9dc0000 end_va = 0x7ff9f9deffff entry_point = 0x7ff9f9dc0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2573 start_va = 0x96df0b0000 end_va = 0x96df12ffff entry_point = 0x0 region_type = private name = "private_0x00000096df0b0000" filename = "" Region: id = 2574 start_va = 0x96df130000 end_va = 0x96df1affff entry_point = 0x0 region_type = private name = "private_0x00000096df130000" filename = "" Region: id = 2575 start_va = 0x7ff606048000 end_va = 0x7ff606049fff entry_point = 0x0 region_type = private name = "private_0x00007ff606048000" filename = "" Region: id = 2576 start_va = 0x7ff60604a000 end_va = 0x7ff60604bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60604a000" filename = "" Region: id = 2577 start_va = 0x7ff9fc290000 end_va = 0x7ff9fc2dffff entry_point = 0x7ff9fc290000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 2578 start_va = 0x96de570000 end_va = 0x96de570fff entry_point = 0x0 region_type = private name = "private_0x00000096de570000" filename = "" Region: id = 2683 start_va = 0x96df1b0000 end_va = 0x96df22ffff entry_point = 0x0 region_type = private name = "private_0x00000096df1b0000" filename = "" Region: id = 2684 start_va = 0x96df230000 end_va = 0x96df2affff entry_point = 0x0 region_type = private name = "private_0x00000096df230000" filename = "" Region: id = 2685 start_va = 0x7ff606044000 end_va = 0x7ff606045fff entry_point = 0x0 region_type = private name = "private_0x00007ff606044000" filename = "" Region: id = 2686 start_va = 0x7ff606046000 end_va = 0x7ff606047fff entry_point = 0x0 region_type = private name = "private_0x00007ff606046000" filename = "" Region: id = 2687 start_va = 0x96df2b0000 end_va = 0x96df3affff entry_point = 0x0 region_type = private name = "private_0x00000096df2b0000" filename = "" Region: id = 2733 start_va = 0x7ff9faed0000 end_va = 0x7ff9faf6efff entry_point = 0x7ff9faed0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2734 start_va = 0x7ff9f8e90000 end_va = 0x7ff9f8ff4fff entry_point = 0x7ff9f8e90000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2736 start_va = 0x96de580000 end_va = 0x96de583fff entry_point = 0x96de580000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2738 start_va = 0x96de590000 end_va = 0x96de5cefff entry_point = 0x96de590000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000006.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db") Region: id = 2740 start_va = 0x96dea30000 end_va = 0x96dea33fff entry_point = 0x96dea30000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2741 start_va = 0x96df3b0000 end_va = 0x96df432fff entry_point = 0x96df3b0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 2781 start_va = 0x96df440000 end_va = 0x96df53ffff entry_point = 0x0 region_type = private name = "private_0x00000096df440000" filename = "" Region: id = 2801 start_va = 0x96df540000 end_va = 0x96df5bffff entry_point = 0x0 region_type = private name = "private_0x00000096df540000" filename = "" Region: id = 2802 start_va = 0x7ff60605c000 end_va = 0x7ff60605dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60605c000" filename = "" Thread: id = 176 os_tid = 0x2e0 Thread: id = 177 os_tid = 0x2e4 Thread: id = 178 os_tid = 0x2e8 Thread: id = 179 os_tid = 0x2ec Thread: id = 180 os_tid = 0x2f0 Thread: id = 198 os_tid = 0x334 Thread: id = 205 os_tid = 0x350 Thread: id = 206 os_tid = 0x354 Thread: id = 208 os_tid = 0x360 Thread: id = 212 os_tid = 0x370 Thread: id = 215 os_tid = 0x37c Thread: id = 249 os_tid = 0xfc Thread: id = 251 os_tid = 0x100 Thread: id = 253 os_tid = 0x110 Thread: id = 254 os_tid = 0x104 Thread: id = 255 os_tid = 0x10c Thread: id = 256 os_tid = 0x108 Thread: id = 258 os_tid = 0x38 Thread: id = 259 os_tid = 0x138 Thread: id = 267 os_tid = 0x204 Thread: id = 274 os_tid = 0x1dc Thread: id = 285 os_tid = 0x3a4 Process: id = "27" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ce7000" os_pid = "0x314" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ad4a" [0xc000000f], "LOCAL" [0x7] Region: id = 2031 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2032 start_va = 0x1dd6a80000 end_va = 0x1dd6a9ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd6a80000" filename = "" Region: id = 2033 start_va = 0x1dd6aa0000 end_va = 0x1dd6aaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6aa0000" filename = "" Region: id = 2034 start_va = 0x1dd6ab0000 end_va = 0x1dd6b2ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd6ab0000" filename = "" Region: id = 2035 start_va = 0x1dd6b30000 end_va = 0x1dd6b33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6b30000" filename = "" Region: id = 2036 start_va = 0x7ff606530000 end_va = 0x7ff606552fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606530000" filename = "" Region: id = 2037 start_va = 0x7ff60655c000 end_va = 0x7ff60655dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60655c000" filename = "" Region: id = 2038 start_va = 0x7ff60655e000 end_va = 0x7ff60655efff entry_point = 0x0 region_type = private name = "private_0x00007ff60655e000" filename = "" Region: id = 2039 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2040 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2041 start_va = 0x1dd6b40000 end_va = 0x1dd6b40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6b40000" filename = "" Region: id = 2042 start_va = 0x1dd6b50000 end_va = 0x1dd6b51fff entry_point = 0x0 region_type = private name = "private_0x0000001dd6b50000" filename = "" Region: id = 2044 start_va = 0x1dd6b80000 end_va = 0x1dd6c7ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd6b80000" filename = "" Region: id = 2045 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2046 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2047 start_va = 0x1dd6a80000 end_va = 0x1dd6a8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6a80000" filename = "" Region: id = 2048 start_va = 0x7ff606430000 end_va = 0x7ff60652ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606430000" filename = "" Region: id = 2049 start_va = 0x1dd6c80000 end_va = 0x1dd6cfdfff entry_point = 0x1dd6c80000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2050 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2051 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2052 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2053 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2054 start_va = 0x1dd6d00000 end_va = 0x1dd6eaffff entry_point = 0x0 region_type = private name = "private_0x0000001dd6d00000" filename = "" Region: id = 2055 start_va = 0x1dd6a90000 end_va = 0x1dd6a96fff entry_point = 0x0 region_type = private name = "private_0x0000001dd6a90000" filename = "" Region: id = 2056 start_va = 0x1dd6d00000 end_va = 0x1dd6db7fff entry_point = 0x1dd6d00000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2057 start_va = 0x1dd6ea0000 end_va = 0x1dd6eaffff entry_point = 0x0 region_type = private name = "private_0x0000001dd6ea0000" filename = "" Region: id = 2058 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2059 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2060 start_va = 0x1dd6b60000 end_va = 0x1dd6b66fff entry_point = 0x0 region_type = private name = "private_0x0000001dd6b60000" filename = "" Region: id = 2061 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2062 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2063 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2064 start_va = 0x1dd6d00000 end_va = 0x1dd6e87fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6d00000" filename = "" Region: id = 2065 start_va = 0x1dd6eb0000 end_va = 0x1dd7030fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6eb0000" filename = "" Region: id = 2066 start_va = 0x1dd7040000 end_va = 0x1dd70fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd7040000" filename = "" Region: id = 2067 start_va = 0x1dd6b70000 end_va = 0x1dd6b72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6b70000" filename = "" Region: id = 2068 start_va = 0x1dd6e90000 end_va = 0x1dd6e90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd6e90000" filename = "" Region: id = 2069 start_va = 0x1dd7100000 end_va = 0x1dd74fbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd7100000" filename = "" Region: id = 2070 start_va = 0x1dd7500000 end_va = 0x1dd7500fff entry_point = 0x0 region_type = private name = "private_0x0000001dd7500000" filename = "" Region: id = 2071 start_va = 0x1dd7510000 end_va = 0x1dd7510fff entry_point = 0x0 region_type = private name = "private_0x0000001dd7510000" filename = "" Region: id = 2072 start_va = 0x1dd7520000 end_va = 0x1dd759ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd7520000" filename = "" Region: id = 2073 start_va = 0x1dd75a0000 end_va = 0x1dd761ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd75a0000" filename = "" Region: id = 2074 start_va = 0x7ff606558000 end_va = 0x7ff606559fff entry_point = 0x0 region_type = private name = "private_0x00007ff606558000" filename = "" Region: id = 2075 start_va = 0x7ff60655a000 end_va = 0x7ff60655bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60655a000" filename = "" Region: id = 2079 start_va = 0x1dd7620000 end_va = 0x1dd78f4fff entry_point = 0x1dd7620000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2081 start_va = 0x7ff9f9600000 end_va = 0x7ff9f9677fff entry_point = 0x7ff9f9600000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2094 start_va = 0x7ff9fc130000 end_va = 0x7ff9fc14dfff entry_point = 0x7ff9fc130000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2095 start_va = 0x7ff9fbd70000 end_va = 0x7ff9fbda4fff entry_point = 0x7ff9fbd70000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2096 start_va = 0x7ff9fc360000 end_va = 0x7ff9fc385fff entry_point = 0x7ff9fc360000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2099 start_va = 0x1dd7900000 end_va = 0x1dd797ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd7900000" filename = "" Region: id = 2100 start_va = 0x1dd7980000 end_va = 0x1dd79fffff entry_point = 0x0 region_type = private name = "private_0x0000001dd7980000" filename = "" Region: id = 2101 start_va = 0x7ff606554000 end_va = 0x7ff606555fff entry_point = 0x0 region_type = private name = "private_0x00007ff606554000" filename = "" Region: id = 2102 start_va = 0x7ff606556000 end_va = 0x7ff606557fff entry_point = 0x0 region_type = private name = "private_0x00007ff606556000" filename = "" Region: id = 2103 start_va = 0x1dd7a00000 end_va = 0x1dd7a00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001dd7a00000" filename = "" Region: id = 2104 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2115 start_va = 0x7ff9fd190000 end_va = 0x7ff9fd246fff entry_point = 0x7ff9fd190000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2116 start_va = 0x1dd7a10000 end_va = 0x1dd7b88fff entry_point = 0x1dd7a10000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2117 start_va = 0x1dd7a10000 end_va = 0x1dd7a8ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd7a10000" filename = "" Region: id = 2118 start_va = 0x7ff60642e000 end_va = 0x7ff60642ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60642e000" filename = "" Region: id = 2119 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2120 start_va = 0x1dd7a90000 end_va = 0x1dd7b8ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd7a90000" filename = "" Region: id = 2276 start_va = 0x7ff9f8b10000 end_va = 0x7ff9f8c5cfff entry_point = 0x7ff9f8b10000 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 2294 start_va = 0x1dd7b90000 end_va = 0x1dd7c0ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd7b90000" filename = "" Region: id = 2295 start_va = 0x7ff60642c000 end_va = 0x7ff60642dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60642c000" filename = "" Region: id = 2296 start_va = 0x1dd7c10000 end_va = 0x1dd7c8ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd7c10000" filename = "" Region: id = 2297 start_va = 0x1dd7c90000 end_va = 0x1dd8c8ffff entry_point = 0x1dd7c90000 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\~fontcache-fontface.dat") Region: id = 2298 start_va = 0x7ff60642a000 end_va = 0x7ff60642bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60642a000" filename = "" Region: id = 2299 start_va = 0x1dd8c90000 end_va = 0x1dd8d8ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd8c90000" filename = "" Region: id = 2300 start_va = 0x1dd8d90000 end_va = 0x1dd9db4fff entry_point = 0x1dd8d90000 region_type = mapped_file name = "simsunb.ttf" filename = "\\Windows\\Fonts\\simsunb.ttf" (normalized: "c:\\windows\\fonts\\simsunb.ttf") Region: id = 2323 start_va = 0x1dd75a0000 end_va = 0x1dd75affff entry_point = 0x1dd75a0000 region_type = mapped_file name = "upckb.ttf" filename = "\\Windows\\Fonts\\upckb.ttf" (normalized: "c:\\windows\\fonts\\upckb.ttf") Region: id = 2332 start_va = 0x1dd75b0000 end_va = 0x1dd75dbfff entry_point = 0x1dd75b0000 region_type = mapped_file name = "kokilab.ttf" filename = "\\Windows\\Fonts\\kokilab.ttf" (normalized: "c:\\windows\\fonts\\kokilab.ttf") Region: id = 2333 start_va = 0x1dd9dc0000 end_va = 0x1dd9e10fff entry_point = 0x1dd9dc0000 region_type = mapped_file name = "shonar.ttf" filename = "\\Windows\\Fonts\\Shonar.ttf" (normalized: "c:\\windows\\fonts\\shonar.ttf") Region: id = 2334 start_va = 0x1dd75e0000 end_va = 0x1dd7610fff entry_point = 0x1dd75e0000 region_type = mapped_file name = "mangal.ttf" filename = "\\Windows\\Fonts\\mangal.ttf" (normalized: "c:\\windows\\fonts\\mangal.ttf") Region: id = 2335 start_va = 0x1dd9e20000 end_va = 0x1dd9e34fff entry_point = 0x1dd9e20000 region_type = mapped_file name = "browauz.ttf" filename = "\\Windows\\Fonts\\browauz.ttf" (normalized: "c:\\windows\\fonts\\browauz.ttf") Region: id = 2349 start_va = 0x1dd9e40000 end_va = 0x1dd9e87fff entry_point = 0x1dd9e40000 region_type = mapped_file name = "majallab.ttf" filename = "\\Windows\\Fonts\\majallab.ttf" (normalized: "c:\\windows\\fonts\\majallab.ttf") Region: id = 2352 start_va = 0x1dd9e90000 end_va = 0x1dd9e9dfff entry_point = 0x1dd9e90000 region_type = mapped_file name = "upclbi.ttf" filename = "\\Windows\\Fonts\\upclbi.ttf" (normalized: "c:\\windows\\fonts\\upclbi.ttf") Region: id = 2356 start_va = 0x1dd9ea0000 end_va = 0x1dd9f05fff entry_point = 0x1dd9ea0000 region_type = mapped_file name = "palab.ttf" filename = "\\Windows\\Fonts\\palab.ttf" (normalized: "c:\\windows\\fonts\\palab.ttf") Region: id = 2357 start_va = 0x1dd9f10000 end_va = 0x1dd9f63fff entry_point = 0x1dd9f10000 region_type = mapped_file name = "moolbor.ttf" filename = "\\Windows\\Fonts\\moolbor.ttf" (normalized: "c:\\windows\\fonts\\moolbor.ttf") Region: id = 2360 start_va = 0x1dd9f70000 end_va = 0x1dd9feffff entry_point = 0x0 region_type = private name = "private_0x0000001dd9f70000" filename = "" Region: id = 2361 start_va = 0x7ff606558000 end_va = 0x7ff606559fff entry_point = 0x0 region_type = private name = "private_0x00007ff606558000" filename = "" Region: id = 2362 start_va = 0x1dd9ff0000 end_va = 0x1dda015fff entry_point = 0x1dd9ff0000 region_type = mapped_file name = "framdit.ttf" filename = "\\Windows\\Fonts\\framdit.ttf" (normalized: "c:\\windows\\fonts\\framdit.ttf") Region: id = 2363 start_va = 0x7ff9f89d0000 end_va = 0x7ff9f89dbfff entry_point = 0x7ff9f89d0000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 2364 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2410 start_va = 0x1dd9f70000 end_va = 0x1dd9f89fff entry_point = 0x1dd9f70000 region_type = mapped_file name = "cordia.ttf" filename = "\\Windows\\Fonts\\cordia.ttf" (normalized: "c:\\windows\\fonts\\cordia.ttf") Region: id = 2411 start_va = 0x1dda020000 end_va = 0x1dda0bafff entry_point = 0x1dda020000 region_type = mapped_file name = "ariali.ttf" filename = "\\Windows\\Fonts\\ariali.ttf" (normalized: "c:\\windows\\fonts\\ariali.ttf") Region: id = 2421 start_va = 0x1dd75a0000 end_va = 0x1dd75d5fff entry_point = 0x1dd75a0000 region_type = mapped_file name = "kokilai.ttf" filename = "\\Windows\\Fonts\\kokilai.ttf" (normalized: "c:\\windows\\fonts\\kokilai.ttf") Region: id = 2425 start_va = 0x1dd75e0000 end_va = 0x1dd75f8fff entry_point = 0x1dd75e0000 region_type = mapped_file name = "angsaui.ttf" filename = "\\Windows\\Fonts\\angsaui.ttf" (normalized: "c:\\windows\\fonts\\angsaui.ttf") Region: id = 2427 start_va = 0x1dd7600000 end_va = 0x1dd7611fff entry_point = 0x1dd7600000 region_type = mapped_file name = "upcjl.ttf" filename = "\\Windows\\Fonts\\upcjl.ttf" (normalized: "c:\\windows\\fonts\\upcjl.ttf") Region: id = 2428 start_va = 0x1dd8d90000 end_va = 0x1dd8dc2fff entry_point = 0x1dd8d90000 region_type = mapped_file name = "trebucbd.ttf" filename = "\\Windows\\Fonts\\trebucbd.ttf" (normalized: "c:\\windows\\fonts\\trebucbd.ttf") Region: id = 2434 start_va = 0x1dd8dd0000 end_va = 0x1dd8de0fff entry_point = 0x1dd8dd0000 region_type = mapped_file name = "taile.ttf" filename = "\\Windows\\Fonts\\taile.ttf" (normalized: "c:\\windows\\fonts\\taile.ttf") Region: id = 2436 start_va = 0x1dd75a0000 end_va = 0x1dd75cffff entry_point = 0x1dd75a0000 region_type = mapped_file name = "utsaah.ttf" filename = "\\Windows\\Fonts\\utsaah.ttf" (normalized: "c:\\windows\\fonts\\utsaah.ttf") Region: id = 2438 start_va = 0x1dd8df0000 end_va = 0x1dd9716fff entry_point = 0x1dd8df0000 region_type = mapped_file name = "malgun.ttf" filename = "\\Windows\\Fonts\\malgun.ttf" (normalized: "c:\\windows\\fonts\\malgun.ttf") Region: id = 2455 start_va = 0x1dd75d0000 end_va = 0x1dd75e8fff entry_point = 0x1dd75d0000 region_type = mapped_file name = "simpfxo.ttf" filename = "\\Windows\\Fonts\\simpfxo.ttf" (normalized: "c:\\windows\\fonts\\simpfxo.ttf") Region: id = 2458 start_va = 0x1dd75f0000 end_va = 0x1dd7601fff entry_point = 0x1dd75f0000 region_type = mapped_file name = "gisha.ttf" filename = "\\Windows\\Fonts\\gisha.ttf" (normalized: "c:\\windows\\fonts\\gisha.ttf") Region: id = 2460 start_va = 0x1dd8d90000 end_va = 0x1dd8dc0fff entry_point = 0x1dd8d90000 region_type = mapped_file name = "utsaahbi.ttf" filename = "\\Windows\\Fonts\\utsaahbi.ttf" (normalized: "c:\\windows\\fonts\\utsaahbi.ttf") Region: id = 2461 start_va = 0x1dd9720000 end_va = 0x1dda1b7fff entry_point = 0x1dd9720000 region_type = mapped_file name = "msjhl.ttc" filename = "\\Windows\\Fonts\\msjhl.ttc" (normalized: "c:\\windows\\fonts\\msjhl.ttc") Region: id = 2472 start_va = 0x1dda1c0000 end_va = 0x1dda1f6fff entry_point = 0x1dda1c0000 region_type = mapped_file name = "comicbd.ttf" filename = "\\Windows\\Fonts\\comicbd.ttf" (normalized: "c:\\windows\\fonts\\comicbd.ttf") Region: id = 2481 start_va = 0x1dd75a0000 end_va = 0x1dd75b5fff entry_point = 0x1dd75a0000 region_type = mapped_file name = "browau.ttf" filename = "\\Windows\\Fonts\\browau.ttf" (normalized: "c:\\windows\\fonts\\browau.ttf") Region: id = 2482 start_va = 0x1dda200000 end_va = 0x1dda3b2fff entry_point = 0x1dda200000 region_type = mapped_file name = "seguisym.ttf" filename = "\\Windows\\Fonts\\seguisym.ttf" (normalized: "c:\\windows\\fonts\\seguisym.ttf") Region: id = 2487 start_va = 0x1dd8dd0000 end_va = 0x1dd8dfbfff entry_point = 0x1dd8dd0000 region_type = mapped_file name = "kokila.ttf" filename = "\\Windows\\Fonts\\kokila.ttf" (normalized: "c:\\windows\\fonts\\kokila.ttf") Region: id = 2490 start_va = 0x1dd8e00000 end_va = 0x1dd8e38fff entry_point = 0x1dd8e00000 region_type = mapped_file name = "vrindab.ttf" filename = "\\Windows\\Fonts\\vrindab.ttf" (normalized: "c:\\windows\\fonts\\vrindab.ttf") Region: id = 2491 start_va = 0x1dd75c0000 end_va = 0x1dd75d0fff entry_point = 0x1dd75c0000 region_type = mapped_file name = "upcfbi.ttf" filename = "\\Windows\\Fonts\\upcfbi.ttf" (normalized: "c:\\windows\\fonts\\upcfbi.ttf") Region: id = 2493 start_va = 0x1dd8e40000 end_va = 0x1dd8e82fff entry_point = 0x1dd8e40000 region_type = mapped_file name = "tradbdo.ttf" filename = "\\Windows\\Fonts\\tradbdo.ttf" (normalized: "c:\\windows\\fonts\\tradbdo.ttf") Region: id = 2497 start_va = 0x1dd75e0000 end_va = 0x1dd760ffff entry_point = 0x1dd75e0000 region_type = mapped_file name = "aparajb.ttf" filename = "\\Windows\\Fonts\\aparajb.ttf" (normalized: "c:\\windows\\fonts\\aparajb.ttf") Region: id = 2498 start_va = 0x1dd8e90000 end_va = 0x1dd8f80fff entry_point = 0x1dd8e90000 region_type = mapped_file name = "sitkaz.ttc" filename = "\\Windows\\Fonts\\SitkaZ.ttc" (normalized: "c:\\windows\\fonts\\sitkaz.ttc") Region: id = 2504 start_va = 0x1dd8f90000 end_va = 0x1dd90eafff entry_point = 0x1dd8f90000 region_type = mapped_file name = "nirmalas.ttf" filename = "\\Windows\\Fonts\\NirmalaS.ttf" (normalized: "c:\\windows\\fonts\\nirmalas.ttf") Region: id = 2507 start_va = 0x1dd90f0000 end_va = 0x1dd9140fff entry_point = 0x1dd90f0000 region_type = mapped_file name = "leelauib.ttf" filename = "\\Windows\\Fonts\\LeelaUIb.ttf" (normalized: "c:\\windows\\fonts\\leelauib.ttf") Region: id = 2509 start_va = 0x1dd75a0000 end_va = 0x1dd75b0fff entry_point = 0x1dd75a0000 region_type = mapped_file name = "upckbi.ttf" filename = "\\Windows\\Fonts\\upckbi.ttf" (normalized: "c:\\windows\\fonts\\upckbi.ttf") Region: id = 2510 start_va = 0x1dd8d90000 end_va = 0x1dd8dc3fff entry_point = 0x1dd8d90000 region_type = mapped_file name = "gadugib.ttf" filename = "\\Windows\\Fonts\\gadugib.ttf" (normalized: "c:\\windows\\fonts\\gadugib.ttf") Region: id = 2512 start_va = 0x1dd75c0000 end_va = 0x1dd75d1fff entry_point = 0x1dd75c0000 region_type = mapped_file name = "ntailu.ttf" filename = "\\Windows\\Fonts\\ntailu.ttf" (normalized: "c:\\windows\\fonts\\ntailu.ttf") Region: id = 2514 start_va = 0x1dd75e0000 end_va = 0x1dd7604fff entry_point = 0x1dd75e0000 region_type = mapped_file name = "dokchamp.ttf" filename = "\\Windows\\Fonts\\dokchamp.ttf" (normalized: "c:\\windows\\fonts\\dokchamp.ttf") Region: id = 2515 start_va = 0x1dd8dd0000 end_va = 0x1dd8e21fff entry_point = 0x1dd8dd0000 region_type = mapped_file name = "palabi.ttf" filename = "\\Windows\\Fonts\\palabi.ttf" (normalized: "c:\\windows\\fonts\\palabi.ttf") Region: id = 2524 start_va = 0x1dd8e30000 end_va = 0x1dd8ea0fff entry_point = 0x1dd8e30000 region_type = mapped_file name = "segoeuii.ttf" filename = "\\Windows\\Fonts\\segoeuii.ttf" (normalized: "c:\\windows\\fonts\\segoeuii.ttf") Region: id = 2529 start_va = 0x1dd8eb0000 end_va = 0x1dd8f7ffff entry_point = 0x1dd8eb0000 region_type = mapped_file name = "calibrib.ttf" filename = "\\Windows\\Fonts\\calibrib.ttf" (normalized: "c:\\windows\\fonts\\calibrib.ttf") Region: id = 2545 start_va = 0x1dd75a0000 end_va = 0x1dd75b5fff entry_point = 0x1dd75a0000 region_type = mapped_file name = "cordiaz.ttf" filename = "\\Windows\\Fonts\\cordiaz.ttf" (normalized: "c:\\windows\\fonts\\cordiaz.ttf") Region: id = 2551 start_va = 0x1dd7610000 end_va = 0x1dd761ffff entry_point = 0x1dd7610000 region_type = mapped_file name = "mriam.ttf" filename = "\\Windows\\Fonts\\mriam.ttf" (normalized: "c:\\windows\\fonts\\mriam.ttf") Region: id = 2552 start_va = 0x1dd8d90000 end_va = 0x1dd8da9fff entry_point = 0x1dd8d90000 region_type = mapped_file name = "angsab.ttf" filename = "\\Windows\\Fonts\\angsab.ttf" (normalized: "c:\\windows\\fonts\\angsab.ttf") Region: id = 2556 start_va = 0x1dd8f80000 end_va = 0x1dd9003fff entry_point = 0x1dd8f80000 region_type = mapped_file name = "iskpota.ttf" filename = "\\Windows\\Fonts\\iskpota.ttf" (normalized: "c:\\windows\\fonts\\iskpota.ttf") Region: id = 2559 start_va = 0x1dd75c0000 end_va = 0x1dd75cffff entry_point = 0x1dd75c0000 region_type = mapped_file name = "upcfl.ttf" filename = "\\Windows\\Fonts\\upcfl.ttf" (normalized: "c:\\windows\\fonts\\upcfl.ttf") Region: id = 2563 start_va = 0x1dd75d0000 end_va = 0x1dd75effff entry_point = 0x1dd75d0000 region_type = mapped_file name = "kartika.ttf" filename = "\\Windows\\Fonts\\kartika.ttf" (normalized: "c:\\windows\\fonts\\kartika.ttf") Region: id = 2564 start_va = 0x1dd8db0000 end_va = 0x1dd8e65fff entry_point = 0x1dd8db0000 region_type = mapped_file name = "segoeuisl.ttf" filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf") Region: id = 2567 start_va = 0x1dd8e70000 end_va = 0x1dd8e95fff entry_point = 0x1dd8e70000 region_type = mapped_file name = "vijaya.ttf" filename = "\\Windows\\Fonts\\vijaya.ttf" (normalized: "c:\\windows\\fonts\\vijaya.ttf") Region: id = 2569 start_va = 0x1dd9010000 end_va = 0x1dd9161fff entry_point = 0x1dd9010000 region_type = mapped_file name = "nirmala.ttf" filename = "\\Windows\\Fonts\\Nirmala.ttf" (normalized: "c:\\windows\\fonts\\nirmala.ttf") Region: id = 2570 start_va = 0x1dd8ea0000 end_va = 0x1dd8ee5fff entry_point = 0x1dd8ea0000 region_type = mapped_file name = "monbaiti.ttf" filename = "\\Windows\\Fonts\\monbaiti.ttf" (normalized: "c:\\windows\\fonts\\monbaiti.ttf") Region: id = 2571 start_va = 0x1dd9170000 end_va = 0x1dda611fff entry_point = 0x1dd9170000 region_type = mapped_file name = "msyh.ttc" filename = "\\Windows\\Fonts\\msyh.ttc" (normalized: "c:\\windows\\fonts\\msyh.ttc") Region: id = 2605 start_va = 0x1dd75a0000 end_va = 0x1dd75fbfff entry_point = 0x1dd75a0000 region_type = mapped_file name = "vanib.ttf" filename = "\\Windows\\Fonts\\Vanib.ttf" (normalized: "c:\\windows\\fonts\\vanib.ttf") Region: id = 2632 start_va = 0x1dd8d90000 end_va = 0x1dd8dd7fff entry_point = 0x1dd8d90000 region_type = mapped_file name = "majalla.ttf" filename = "\\Windows\\Fonts\\majalla.ttf" (normalized: "c:\\windows\\fonts\\majalla.ttf") Region: id = 2635 start_va = 0x1dd8de0000 end_va = 0x1dd8e08fff entry_point = 0x1dd8de0000 region_type = mapped_file name = "ariblk.ttf" filename = "\\Windows\\Fonts\\ariblk.ttf" (normalized: "c:\\windows\\fonts\\ariblk.ttf") Region: id = 2641 start_va = 0x1dd7600000 end_va = 0x1dd7611fff entry_point = 0x1dd7600000 region_type = mapped_file name = "upcib.ttf" filename = "\\Windows\\Fonts\\upcib.ttf" (normalized: "c:\\windows\\fonts\\upcib.ttf") Region: id = 2648 start_va = 0x1dd8ef0000 end_va = 0x1dd8fd5fff entry_point = 0x1dd8ef0000 region_type = mapped_file name = "sitka.ttc" filename = "\\Windows\\Fonts\\Sitka.ttc" (normalized: "c:\\windows\\fonts\\sitka.ttc") Region: id = 2735 start_va = 0x1dd8e10000 end_va = 0x1dd8e72fff entry_point = 0x1dd8e10000 region_type = mapped_file name = "seguisli.ttf" filename = "\\Windows\\Fonts\\seguisli.ttf" (normalized: "c:\\windows\\fonts\\seguisli.ttf") Region: id = 2739 start_va = 0x1dda620000 end_va = 0x1ddb5a2fff entry_point = 0x1dda620000 region_type = mapped_file name = "batang.ttc" filename = "\\Windows\\Fonts\\batang.ttc" (normalized: "c:\\windows\\fonts\\batang.ttc") Region: id = 2763 start_va = 0x1dd75a0000 end_va = 0x1dd75dcfff entry_point = 0x1dd75a0000 region_type = mapped_file name = "gautami.ttf" filename = "\\Windows\\Fonts\\gautami.ttf" (normalized: "c:\\windows\\fonts\\gautami.ttf") Region: id = 2765 start_va = 0x1dd75e0000 end_va = 0x1dd75f2fff entry_point = 0x1dd75e0000 region_type = mapped_file name = "upcjbi.ttf" filename = "\\Windows\\Fonts\\upcjbi.ttf" (normalized: "c:\\windows\\fonts\\upcjbi.ttf") Region: id = 2767 start_va = 0x1dd8d90000 end_va = 0x1dd8ddefff entry_point = 0x1dd8d90000 region_type = mapped_file name = "seguibl.ttf" filename = "\\Windows\\Fonts\\seguibl.ttf" (normalized: "c:\\windows\\fonts\\seguibl.ttf") Region: id = 2772 start_va = 0x1dd8de0000 end_va = 0x1dd8eb4fff entry_point = 0x1dd8de0000 region_type = mapped_file name = "calibrili.ttf" filename = "\\Windows\\Fonts\\calibrili.ttf" (normalized: "c:\\windows\\fonts\\calibrili.ttf") Region: id = 2773 start_va = 0x1dd8ec0000 end_va = 0x1dd8f85fff entry_point = 0x1dd8ec0000 region_type = mapped_file name = "cambriaz.ttf" filename = "\\Windows\\Fonts\\cambriaz.ttf" (normalized: "c:\\windows\\fonts\\cambriaz.ttf") Region: id = 2774 start_va = 0x1dd7600000 end_va = 0x1dd7611fff entry_point = 0x1dd7600000 region_type = mapped_file name = "rod.ttf" filename = "\\Windows\\Fonts\\rod.ttf" (normalized: "c:\\windows\\fonts\\rod.ttf") Region: id = 2776 start_va = 0x1dd8f90000 end_va = 0x1dd8fc4fff entry_point = 0x1dd8f90000 region_type = mapped_file name = "georgiaz.ttf" filename = "\\Windows\\Fonts\\georgiaz.ttf" (normalized: "c:\\windows\\fonts\\georgiaz.ttf") Region: id = 2782 start_va = 0x1dd8fd0000 end_va = 0x1dd900afff entry_point = 0x1dd8fd0000 region_type = mapped_file name = "verdana.ttf" filename = "\\Windows\\Fonts\\verdana.ttf" (normalized: "c:\\windows\\fonts\\verdana.ttf") Region: id = 2783 start_va = 0x1dd9010000 end_va = 0x1dd9021fff entry_point = 0x1dd9010000 region_type = mapped_file name = "symbol.ttf" filename = "\\Windows\\Fonts\\symbol.ttf" (normalized: "c:\\windows\\fonts\\symbol.ttf") Region: id = 2800 start_va = 0x1dd9030000 end_va = 0x1dd905afff entry_point = 0x1dd9030000 region_type = mapped_file name = "euphemia.ttf" filename = "\\Windows\\Fonts\\euphemia.ttf" (normalized: "c:\\windows\\fonts\\euphemia.ttf") Region: id = 2803 start_va = 0x1dd75a0000 end_va = 0x1dd75b6fff entry_point = 0x1dd75a0000 region_type = mapped_file name = "raavib.ttf" filename = "\\Windows\\Fonts\\raavib.ttf" (normalized: "c:\\windows\\fonts\\raavib.ttf") Region: id = 2808 start_va = 0x1dd9060000 end_va = 0x1dd90a4fff entry_point = 0x1dd9060000 region_type = mapped_file name = "corbelz.ttf" filename = "\\Windows\\Fonts\\corbelz.ttf" (normalized: "c:\\windows\\fonts\\corbelz.ttf") Region: id = 2813 start_va = 0x1dd90b0000 end_va = 0x1dd90f2fff entry_point = 0x1dd90b0000 region_type = mapped_file name = "corbelb.ttf" filename = "\\Windows\\Fonts\\corbelb.ttf" (normalized: "c:\\windows\\fonts\\corbelb.ttf") Region: id = 2814 start_va = 0x1dd9100000 end_va = 0x1dd9135fff entry_point = 0x1dd9100000 region_type = mapped_file name = "shrutib.ttf" filename = "\\Windows\\Fonts\\shrutib.ttf" (normalized: "c:\\windows\\fonts\\shrutib.ttf") Region: id = 2815 start_va = 0x1dd9140000 end_va = 0x1dd9197fff entry_point = 0x1dd9140000 region_type = mapped_file name = "consola.ttf" filename = "\\Windows\\Fonts\\consola.ttf" (normalized: "c:\\windows\\fonts\\consola.ttf") Region: id = 2829 start_va = 0x1dd91a0000 end_va = 0x1dd9213fff entry_point = 0x1dd91a0000 region_type = mapped_file name = "segoeuiz.ttf" filename = "\\Windows\\Fonts\\segoeuiz.ttf" (normalized: "c:\\windows\\fonts\\segoeuiz.ttf") Region: id = 2837 start_va = 0x1dd9220000 end_va = 0x1dd9280fff entry_point = 0x1dd9220000 region_type = mapped_file name = "seguisbi.ttf" filename = "\\Windows\\Fonts\\seguisbi.ttf" (normalized: "c:\\windows\\fonts\\seguisbi.ttf") Region: id = 2851 start_va = 0x1dd75c0000 end_va = 0x1dd75e4fff entry_point = 0x1dd75c0000 region_type = mapped_file name = "simpo.ttf" filename = "\\Windows\\Fonts\\simpo.ttf" (normalized: "c:\\windows\\fonts\\simpo.ttf") Region: id = 2853 start_va = 0x1dd9290000 end_va = 0x1dd942cfff entry_point = 0x1dd9290000 region_type = mapped_file name = "cambria.ttc" filename = "\\Windows\\Fonts\\cambria.ttc" (normalized: "c:\\windows\\fonts\\cambria.ttc") Region: id = 2869 start_va = 0x1dd75f0000 end_va = 0x1dd761efff entry_point = 0x1dd75f0000 region_type = mapped_file name = "daunpenh.ttf" filename = "\\Windows\\Fonts\\daunpenh.ttf" (normalized: "c:\\windows\\fonts\\daunpenh.ttf") Region: id = 2870 start_va = 0x1dd8d90000 end_va = 0x1dd8dfbfff entry_point = 0x1dd8d90000 region_type = mapped_file name = "nyala.ttf" filename = "\\Windows\\Fonts\\nyala.ttf" (normalized: "c:\\windows\\fonts\\nyala.ttf") Region: id = 2871 start_va = 0x1dd8e00000 end_va = 0x1dd8e31fff entry_point = 0x1dd8e00000 region_type = mapped_file name = "trebucbi.ttf" filename = "\\Windows\\Fonts\\trebucbi.ttf" (normalized: "c:\\windows\\fonts\\trebucbi.ttf") Region: id = 2885 start_va = 0x1dd9430000 end_va = 0x1dd9cb1fff entry_point = 0x1dd9430000 region_type = mapped_file name = "malgunbd.ttf" filename = "\\Windows\\Fonts\\malgunbd.ttf" (normalized: "c:\\windows\\fonts\\malgunbd.ttf") Region: id = 2893 start_va = 0x1dd8e40000 end_va = 0x1dd8eaefff entry_point = 0x1dd8e40000 region_type = mapped_file name = "constanz.ttf" filename = "\\Windows\\Fonts\\constanz.ttf" (normalized: "c:\\windows\\fonts\\constanz.ttf") Region: id = 2896 start_va = 0x1dd75a0000 end_va = 0x1dd75adfff entry_point = 0x1dd75a0000 region_type = mapped_file name = "upcli.ttf" filename = "\\Windows\\Fonts\\upcli.ttf" (normalized: "c:\\windows\\fonts\\upcli.ttf") Region: id = 2897 start_va = 0x1dd9cc0000 end_va = 0x1dda915fff entry_point = 0x1dd9cc0000 region_type = mapped_file name = "yugothic.ttf" filename = "\\Windows\\Fonts\\yugothic.ttf" (normalized: "c:\\windows\\fonts\\yugothic.ttf") Region: id = 2936 start_va = 0x1dd75a0000 end_va = 0x1dd75b7fff entry_point = 0x1dd75a0000 region_type = mapped_file name = "cordiaui.ttf" filename = "\\Windows\\Fonts\\cordiaui.ttf" (normalized: "c:\\windows\\fonts\\cordiaui.ttf") Region: id = 2938 start_va = 0x1dd8d90000 end_va = 0x1dd8e0ffff entry_point = 0x0 region_type = private name = "private_0x0000001dd8d90000" filename = "" Region: id = 2939 start_va = 0x7ff606558000 end_va = 0x7ff606559fff entry_point = 0x0 region_type = private name = "private_0x00007ff606558000" filename = "" Region: id = 2940 start_va = 0x1dd75c0000 end_va = 0x1dd75fefff entry_point = 0x1dd75c0000 region_type = mapped_file name = "khmeruib.ttf" filename = "\\Windows\\Fonts\\KhmerUIb.ttf" (normalized: "c:\\windows\\fonts\\khmeruib.ttf") Thread: id = 190 os_tid = 0x318 Thread: id = 191 os_tid = 0x31c Thread: id = 192 os_tid = 0x320 Thread: id = 196 os_tid = 0x32c Thread: id = 197 os_tid = 0x330 Thread: id = 199 os_tid = 0x338 Thread: id = 211 os_tid = 0x36c Thread: id = 216 os_tid = 0x380 Thread: id = 217 os_tid = 0x384 Thread: id = 230 os_tid = 0x3b8 Thread: id = 308 os_tid = 0x430 Process: id = "28" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x8e2f000" os_pid = "0x358" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\DeviceAssociationService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\fhsvc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\NcbService" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\ScDeviceEnum" [0xa], "NT SERVICE\\svsvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\vmicguestinterface" [0xa], "NT SERVICE\\vmickvpexchange" [0xa], "NT SERVICE\\vmicshutdown" [0xa], "NT SERVICE\\vmicvss" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\WiaRpc" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b4e1" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2211 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2212 start_va = 0xb7d1b70000 end_va = 0xb7d1b8ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d1b70000" filename = "" Region: id = 2213 start_va = 0xb7d1b90000 end_va = 0xb7d1b9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1b90000" filename = "" Region: id = 2214 start_va = 0xb7d1ba0000 end_va = 0xb7d1c1ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d1ba0000" filename = "" Region: id = 2215 start_va = 0xb7d1c20000 end_va = 0xb7d1c23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1c20000" filename = "" Region: id = 2216 start_va = 0x7ff6063e0000 end_va = 0x7ff606402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6063e0000" filename = "" Region: id = 2217 start_va = 0x7ff606403000 end_va = 0x7ff606403fff entry_point = 0x0 region_type = private name = "private_0x00007ff606403000" filename = "" Region: id = 2218 start_va = 0x7ff60640e000 end_va = 0x7ff60640ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60640e000" filename = "" Region: id = 2219 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2220 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2221 start_va = 0xb7d1c30000 end_va = 0xb7d1c30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1c30000" filename = "" Region: id = 2222 start_va = 0xb7d1c40000 end_va = 0xb7d1c41fff entry_point = 0x0 region_type = private name = "private_0x000000b7d1c40000" filename = "" Region: id = 2227 start_va = 0xb7d1c50000 end_va = 0xb7d1d4ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d1c50000" filename = "" Region: id = 2228 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2229 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2230 start_va = 0xb7d1b70000 end_va = 0xb7d1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1b70000" filename = "" Region: id = 2231 start_va = 0x7ff6062e0000 end_va = 0x7ff6063dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6062e0000" filename = "" Region: id = 2232 start_va = 0xb7d1d50000 end_va = 0xb7d1dcdfff entry_point = 0xb7d1d50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2233 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2234 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2235 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2236 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2237 start_va = 0xb7d1dd0000 end_va = 0xb7d1e6ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d1dd0000" filename = "" Region: id = 2238 start_va = 0xb7d1b80000 end_va = 0xb7d1b86fff entry_point = 0x0 region_type = private name = "private_0x000000b7d1b80000" filename = "" Region: id = 2239 start_va = 0xb7d1e70000 end_va = 0xb7d1f27fff entry_point = 0xb7d1e70000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2240 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2241 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2242 start_va = 0xb7d1dd0000 end_va = 0xb7d1dd6fff entry_point = 0x0 region_type = private name = "private_0x000000b7d1dd0000" filename = "" Region: id = 2243 start_va = 0xb7d1e60000 end_va = 0xb7d1e6ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d1e60000" filename = "" Region: id = 2244 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2245 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2246 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2247 start_va = 0xb7d1e70000 end_va = 0xb7d1ff7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1e70000" filename = "" Region: id = 2248 start_va = 0xb7d2000000 end_va = 0xb7d2180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d2000000" filename = "" Region: id = 2249 start_va = 0xb7d2190000 end_va = 0xb7d224ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d2190000" filename = "" Region: id = 2250 start_va = 0xb7d1de0000 end_va = 0xb7d1de2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1de0000" filename = "" Region: id = 2251 start_va = 0xb7d1df0000 end_va = 0xb7d1df0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1df0000" filename = "" Region: id = 2252 start_va = 0xb7d1e00000 end_va = 0xb7d1e00fff entry_point = 0x0 region_type = private name = "private_0x000000b7d1e00000" filename = "" Region: id = 2253 start_va = 0xb7d1e10000 end_va = 0xb7d1e10fff entry_point = 0x0 region_type = private name = "private_0x000000b7d1e10000" filename = "" Region: id = 2254 start_va = 0xb7d2250000 end_va = 0xb7d264bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d2250000" filename = "" Region: id = 2264 start_va = 0xb7d2650000 end_va = 0xb7d26cffff entry_point = 0x0 region_type = private name = "private_0x000000b7d2650000" filename = "" Region: id = 2265 start_va = 0xb7d26d0000 end_va = 0xb7d274ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d26d0000" filename = "" Region: id = 2266 start_va = 0xb7d2750000 end_va = 0xb7d2a24fff entry_point = 0xb7d2750000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2267 start_va = 0x7ff60640a000 end_va = 0x7ff60640bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60640a000" filename = "" Region: id = 2268 start_va = 0x7ff60640c000 end_va = 0x7ff60640dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60640c000" filename = "" Region: id = 2272 start_va = 0x7ff9f8e50000 end_va = 0x7ff9f8e86fff entry_point = 0x7ff9f8e50000 region_type = mapped_file name = "audioendpointbuilder.dll" filename = "\\Windows\\System32\\AudioEndpointBuilder.dll" (normalized: "c:\\windows\\system32\\audioendpointbuilder.dll") Region: id = 2278 start_va = 0x7ff9fc360000 end_va = 0x7ff9fc385fff entry_point = 0x7ff9fc360000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2279 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2280 start_va = 0x7ff9f9e20000 end_va = 0x7ff9f9e81fff entry_point = 0x7ff9f9e20000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2281 start_va = 0x7ff9fb6f0000 end_va = 0x7ff9fb715fff entry_point = 0x7ff9fb6f0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2285 start_va = 0xb7d1e20000 end_va = 0xb7d1e20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1e20000" filename = "" Region: id = 2286 start_va = 0xb7d2a30000 end_va = 0xb7d2aaffff entry_point = 0x0 region_type = private name = "private_0x000000b7d2a30000" filename = "" Region: id = 2287 start_va = 0x7ff606408000 end_va = 0x7ff606409fff entry_point = 0x0 region_type = private name = "private_0x00007ff606408000" filename = "" Region: id = 2288 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2289 start_va = 0xb7d1e30000 end_va = 0xb7d1e30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b7d1e30000" filename = "" Region: id = 2290 start_va = 0xb7d2ab0000 end_va = 0xb7d2b2ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d2ab0000" filename = "" Region: id = 2291 start_va = 0x7ff606406000 end_va = 0x7ff606407fff entry_point = 0x0 region_type = private name = "private_0x00007ff606406000" filename = "" Region: id = 2292 start_va = 0xb7d1e40000 end_va = 0xb7d1e40fff entry_point = 0x0 region_type = private name = "private_0x000000b7d1e40000" filename = "" Region: id = 2293 start_va = 0xb7d1e50000 end_va = 0xb7d1e50fff entry_point = 0x0 region_type = private name = "private_0x000000b7d1e50000" filename = "" Region: id = 2301 start_va = 0xb7d26d0000 end_va = 0xb7d26d0fff entry_point = 0xb7d26d0000 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 2306 start_va = 0xb7d26e0000 end_va = 0xb7d26e0fff entry_point = 0x0 region_type = private name = "private_0x000000b7d26e0000" filename = "" Region: id = 2307 start_va = 0xb7d2b30000 end_va = 0xb7d2baffff entry_point = 0x0 region_type = private name = "private_0x000000b7d2b30000" filename = "" Region: id = 2308 start_va = 0x7ff60640a000 end_va = 0x7ff60640bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60640a000" filename = "" Region: id = 2313 start_va = 0xb7d26e0000 end_va = 0xb7d26e0fff entry_point = 0x0 region_type = private name = "private_0x000000b7d26e0000" filename = "" Region: id = 2314 start_va = 0xb7d2bb0000 end_va = 0xb7d2c2ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d2bb0000" filename = "" Region: id = 2315 start_va = 0x7ff606404000 end_va = 0x7ff606405fff entry_point = 0x0 region_type = private name = "private_0x00007ff606404000" filename = "" Region: id = 2316 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2317 start_va = 0x7ff9f8c60000 end_va = 0x7ff9f8c70fff entry_point = 0x7ff9f8c60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2318 start_va = 0x7ff9fc790000 end_va = 0x7ff9fc7e6fff entry_point = 0x7ff9fc790000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2929 start_va = 0xb7d2c30000 end_va = 0xb7d2caffff entry_point = 0x0 region_type = private name = "private_0x000000b7d2c30000" filename = "" Region: id = 2930 start_va = 0x7ff6062de000 end_va = 0x7ff6062dffff entry_point = 0x0 region_type = private name = "private_0x00007ff6062de000" filename = "" Region: id = 2931 start_va = 0x7ff9f7f60000 end_va = 0x7ff9f7fd5fff entry_point = 0x7ff9f7f60000 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 2935 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2941 start_va = 0xb7d2cb0000 end_va = 0xb7d2d2ffff entry_point = 0x0 region_type = private name = "private_0x000000b7d2cb0000" filename = "" Region: id = 2942 start_va = 0x7ff6062dc000 end_va = 0x7ff6062ddfff entry_point = 0x0 region_type = private name = "private_0x00007ff6062dc000" filename = "" Region: id = 2943 start_va = 0x7ff9f7e50000 end_va = 0x7ff9f7e6bfff entry_point = 0x7ff9f7e50000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Thread: id = 207 os_tid = 0x35c Thread: id = 209 os_tid = 0x364 Thread: id = 210 os_tid = 0x368 Thread: id = 213 os_tid = 0x374 Thread: id = 214 os_tid = 0x378 Thread: id = 220 os_tid = 0x390 Thread: id = 223 os_tid = 0x39c Thread: id = 303 os_tid = 0x41c Thread: id = 306 os_tid = 0x428 Thread: id = 307 os_tid = 0x42c Process: id = "29" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x516d5000" os_pid = "0x3c4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c1cf" [0xc000000f], "LOCAL" [0x7] Region: id = 2365 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2366 start_va = 0xf1797b0000 end_va = 0xf1797cffff entry_point = 0x0 region_type = private name = "private_0x000000f1797b0000" filename = "" Region: id = 2367 start_va = 0xf1797d0000 end_va = 0xf1797defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f1797d0000" filename = "" Region: id = 2368 start_va = 0xf1797e0000 end_va = 0xf17985ffff entry_point = 0x0 region_type = private name = "private_0x000000f1797e0000" filename = "" Region: id = 2369 start_va = 0xf179860000 end_va = 0xf179863fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179860000" filename = "" Region: id = 2370 start_va = 0x7ff606440000 end_va = 0x7ff606462fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606440000" filename = "" Region: id = 2371 start_va = 0x7ff60646a000 end_va = 0x7ff60646afff entry_point = 0x0 region_type = private name = "private_0x00007ff60646a000" filename = "" Region: id = 2372 start_va = 0x7ff60646e000 end_va = 0x7ff60646ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60646e000" filename = "" Region: id = 2373 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2374 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2375 start_va = 0xf179870000 end_va = 0xf179870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179870000" filename = "" Region: id = 2376 start_va = 0xf179880000 end_va = 0xf179881fff entry_point = 0x0 region_type = private name = "private_0x000000f179880000" filename = "" Region: id = 2377 start_va = 0xf1798c0000 end_va = 0xf1799bffff entry_point = 0x0 region_type = private name = "private_0x000000f1798c0000" filename = "" Region: id = 2378 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2379 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2380 start_va = 0xf1797b0000 end_va = 0xf1797bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f1797b0000" filename = "" Region: id = 2381 start_va = 0x7ff606340000 end_va = 0x7ff60643ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606340000" filename = "" Region: id = 2382 start_va = 0xf1799c0000 end_va = 0xf179a3dfff entry_point = 0xf1799c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2383 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2384 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2385 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2386 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2387 start_va = 0xf179a40000 end_va = 0xf179c3ffff entry_point = 0x0 region_type = private name = "private_0x000000f179a40000" filename = "" Region: id = 2388 start_va = 0xf1797c0000 end_va = 0xf1797c6fff entry_point = 0x0 region_type = private name = "private_0x000000f1797c0000" filename = "" Region: id = 2389 start_va = 0xf179a40000 end_va = 0xf179af7fff entry_point = 0xf179a40000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2390 start_va = 0xf179c30000 end_va = 0xf179c3ffff entry_point = 0x0 region_type = private name = "private_0x000000f179c30000" filename = "" Region: id = 2391 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2392 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2393 start_va = 0xf179890000 end_va = 0xf179896fff entry_point = 0x0 region_type = private name = "private_0x000000f179890000" filename = "" Region: id = 2394 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2395 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2396 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2402 start_va = 0xf179a40000 end_va = 0xf179bc7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179a40000" filename = "" Region: id = 2403 start_va = 0xf179c40000 end_va = 0xf179dc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179c40000" filename = "" Region: id = 2404 start_va = 0xf179dd0000 end_va = 0xf179e8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179dd0000" filename = "" Region: id = 2405 start_va = 0xf1798a0000 end_va = 0xf1798a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f1798a0000" filename = "" Region: id = 2406 start_va = 0xf1798b0000 end_va = 0xf1798b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f1798b0000" filename = "" Region: id = 2407 start_va = 0xf179bd0000 end_va = 0xf179bd0fff entry_point = 0x0 region_type = private name = "private_0x000000f179bd0000" filename = "" Region: id = 2408 start_va = 0xf179be0000 end_va = 0xf179be0fff entry_point = 0x0 region_type = private name = "private_0x000000f179be0000" filename = "" Region: id = 2409 start_va = 0xf179e90000 end_va = 0xf17a28bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179e90000" filename = "" Region: id = 2412 start_va = 0xf17a290000 end_va = 0xf17a30ffff entry_point = 0x0 region_type = private name = "private_0x000000f17a290000" filename = "" Region: id = 2413 start_va = 0xf17a310000 end_va = 0xf17a38ffff entry_point = 0x0 region_type = private name = "private_0x000000f17a310000" filename = "" Region: id = 2414 start_va = 0x7ff606468000 end_va = 0x7ff606469fff entry_point = 0x0 region_type = private name = "private_0x00007ff606468000" filename = "" Region: id = 2415 start_va = 0x7ff60646c000 end_va = 0x7ff60646dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60646c000" filename = "" Region: id = 2416 start_va = 0xf17a390000 end_va = 0xf17a664fff entry_point = 0xf17a390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2418 start_va = 0x7ff9f88c0000 end_va = 0x7ff9f8901fff entry_point = 0x7ff9f88c0000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 2419 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2420 start_va = 0x7ff9fbee0000 end_va = 0x7ff9fbf82fff entry_point = 0x7ff9fbee0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2423 start_va = 0x7ff9f8870000 end_va = 0x7ff9f8879fff entry_point = 0x7ff9f8870000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2424 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2430 start_va = 0x7ff9f8800000 end_va = 0x7ff9f8866fff entry_point = 0x7ff9f8800000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2437 start_va = 0x7ff9f87f0000 end_va = 0x7ff9f87f7fff entry_point = 0x7ff9f87f0000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 2439 start_va = 0x7ff9fbe80000 end_va = 0x7ff9fbe9efff entry_point = 0x7ff9fbe80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2440 start_va = 0x7ff9fc870000 end_va = 0x7ff9fc883fff entry_point = 0x7ff9fc870000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2441 start_va = 0xf17a670000 end_va = 0xf17a6effff entry_point = 0x0 region_type = private name = "private_0x000000f17a670000" filename = "" Region: id = 2442 start_va = 0x7ff606466000 end_va = 0x7ff606467fff entry_point = 0x0 region_type = private name = "private_0x00007ff606466000" filename = "" Region: id = 2443 start_va = 0x7ff9fba70000 end_va = 0x7ff9fba92fff entry_point = 0x7ff9fba70000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2444 start_va = 0xf17a6f0000 end_va = 0xf17a76ffff entry_point = 0x0 region_type = private name = "private_0x000000f17a6f0000" filename = "" Region: id = 2445 start_va = 0xf17a770000 end_va = 0xf17a7effff entry_point = 0x0 region_type = private name = "private_0x000000f17a770000" filename = "" Region: id = 2446 start_va = 0x7ff60633e000 end_va = 0x7ff60633ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60633e000" filename = "" Region: id = 2447 start_va = 0x7ff606464000 end_va = 0x7ff606465fff entry_point = 0x0 region_type = private name = "private_0x00007ff606464000" filename = "" Region: id = 2448 start_va = 0x7ff9f8890000 end_va = 0x7ff9f88b8fff entry_point = 0x7ff9f8890000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2450 start_va = 0x7ff9f87d0000 end_va = 0x7ff9f87e3fff entry_point = 0x7ff9f87d0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2452 start_va = 0xf17a7f0000 end_va = 0xf17a86ffff entry_point = 0x0 region_type = private name = "private_0x000000f17a7f0000" filename = "" Region: id = 2453 start_va = 0x7ff60633c000 end_va = 0x7ff60633dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60633c000" filename = "" Region: id = 2454 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2457 start_va = 0x7ff9f8740000 end_va = 0x7ff9f8758fff entry_point = 0x7ff9f8740000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2500 start_va = 0xf17a870000 end_va = 0xf17a8effff entry_point = 0x0 region_type = private name = "private_0x000000f17a870000" filename = "" Region: id = 2501 start_va = 0x7ff60633a000 end_va = 0x7ff60633bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60633a000" filename = "" Region: id = 2502 start_va = 0xf17a310000 end_va = 0xf17a38ffff entry_point = 0x0 region_type = private name = "private_0x000000f17a310000" filename = "" Region: id = 2503 start_va = 0x7ff606468000 end_va = 0x7ff606469fff entry_point = 0x0 region_type = private name = "private_0x00007ff606468000" filename = "" Region: id = 2525 start_va = 0xf17a8f0000 end_va = 0xf17aa1ffff entry_point = 0x0 region_type = private name = "private_0x000000f17a8f0000" filename = "" Region: id = 2839 start_va = 0xf17a8f0000 end_va = 0xf17a96ffff entry_point = 0x0 region_type = private name = "private_0x000000f17a8f0000" filename = "" Region: id = 2840 start_va = 0xf17aa10000 end_va = 0xf17aa1ffff entry_point = 0x0 region_type = private name = "private_0x000000f17aa10000" filename = "" Region: id = 2841 start_va = 0x7ff606338000 end_va = 0x7ff606339fff entry_point = 0x0 region_type = private name = "private_0x00007ff606338000" filename = "" Region: id = 2842 start_va = 0x7ff9f80f0000 end_va = 0x7ff9f8137fff entry_point = 0x7ff9f80f0000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 2854 start_va = 0x7ff9fbb20000 end_va = 0x7ff9fbb2bfff entry_point = 0x7ff9fbb20000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2862 start_va = 0xf17a970000 end_va = 0xf17a9effff entry_point = 0x0 region_type = private name = "private_0x000000f17a970000" filename = "" Region: id = 2863 start_va = 0x7ff606336000 end_va = 0x7ff606337fff entry_point = 0x0 region_type = private name = "private_0x00007ff606336000" filename = "" Region: id = 2864 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2865 start_va = 0xf179bf0000 end_va = 0xf179bf0fff entry_point = 0x0 region_type = private name = "private_0x000000f179bf0000" filename = "" Region: id = 2866 start_va = 0xf17aa20000 end_va = 0xf17aa9ffff entry_point = 0x0 region_type = private name = "private_0x000000f17aa20000" filename = "" Region: id = 2867 start_va = 0x7ff606334000 end_va = 0x7ff606335fff entry_point = 0x0 region_type = private name = "private_0x00007ff606334000" filename = "" Region: id = 2868 start_va = 0xf17aaa0000 end_va = 0xf17ab9ffff entry_point = 0x0 region_type = private name = "private_0x000000f17aaa0000" filename = "" Region: id = 2872 start_va = 0xf17aba0000 end_va = 0xf17ac1ffff entry_point = 0x0 region_type = private name = "private_0x000000f17aba0000" filename = "" Region: id = 2873 start_va = 0x7ff606332000 end_va = 0x7ff606333fff entry_point = 0x0 region_type = private name = "private_0x00007ff606332000" filename = "" Region: id = 2874 start_va = 0x7ff9fc290000 end_va = 0x7ff9fc2dffff entry_point = 0x7ff9fc290000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 2875 start_va = 0x7ff9fc360000 end_va = 0x7ff9fc385fff entry_point = 0x7ff9fc360000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2876 start_va = 0xf17ac20000 end_va = 0xf17ac9ffff entry_point = 0x0 region_type = private name = "private_0x000000f17ac20000" filename = "" Region: id = 2877 start_va = 0x7ff606330000 end_va = 0x7ff606331fff entry_point = 0x0 region_type = private name = "private_0x00007ff606330000" filename = "" Region: id = 2878 start_va = 0x7ff9fd2b0000 end_va = 0x7ff9fd354fff entry_point = 0x7ff9fd2b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2879 start_va = 0x7ff9fd190000 end_va = 0x7ff9fd246fff entry_point = 0x7ff9fd190000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2880 start_va = 0xf17aca0000 end_va = 0xf17ae18fff entry_point = 0xf17aca0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2881 start_va = 0xf179bf0000 end_va = 0xf179bf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179bf0000" filename = "" Region: id = 2882 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2883 start_va = 0xf179c00000 end_va = 0xf179c00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f179c00000" filename = "" Region: id = 2884 start_va = 0x7ff9f8c80000 end_va = 0x7ff9f8e1cfff entry_point = 0x7ff9f8c80000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2886 start_va = 0x7ff9f80a0000 end_va = 0x7ff9f80c3fff entry_point = 0x7ff9f80a0000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 2894 start_va = 0x7ff9fcaf0000 end_va = 0x7ff9fccc6fff entry_point = 0x7ff9fcaf0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2895 start_va = 0x7ff9fc920000 end_va = 0x7ff9fc931fff entry_point = 0x7ff9fc920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2909 start_va = 0xf17aca0000 end_va = 0xf17ad1ffff entry_point = 0x0 region_type = private name = "private_0x000000f17aca0000" filename = "" Region: id = 2910 start_va = 0x7ff60632e000 end_va = 0x7ff60632ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60632e000" filename = "" Region: id = 2911 start_va = 0x7ff9f8030000 end_va = 0x7ff9f8091fff entry_point = 0x7ff9f8030000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 2933 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2934 start_va = 0x7ff9fa450000 end_va = 0x7ff9fa4b6fff entry_point = 0x7ff9fa450000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Thread: id = 233 os_tid = 0x3c8 Thread: id = 234 os_tid = 0x3cc Thread: id = 235 os_tid = 0x3d0 Thread: id = 237 os_tid = 0x3d8 Thread: id = 238 os_tid = 0x3dc Thread: id = 239 os_tid = 0x3e0 Thread: id = 240 os_tid = 0x3e4 Thread: id = 241 os_tid = 0x3e8 Thread: id = 242 os_tid = 0x3ec Thread: id = 243 os_tid = 0x3f0 Thread: id = 252 os_tid = 0x114 Thread: id = 290 os_tid = 0x3bc Thread: id = 295 os_tid = 0x120 Thread: id = 296 os_tid = 0x258 Thread: id = 298 os_tid = 0x408 Thread: id = 299 os_tid = 0x40c Thread: id = 302 os_tid = 0x418 Process: id = "30" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0xaf1e000" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000ce24" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2580 start_va = 0x730000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2581 start_va = 0x750000 end_va = 0x75efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 2582 start_va = 0x760000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 2583 start_va = 0x7a0000 end_va = 0x7a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 2584 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2585 start_va = 0x7ff69f0f0000 end_va = 0x7ff69f112fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff69f0f0000" filename = "" Region: id = 2586 start_va = 0x7ff69f119000 end_va = 0x7ff69f119fff entry_point = 0x0 region_type = private name = "private_0x00007ff69f119000" filename = "" Region: id = 2587 start_va = 0x7ff69f11e000 end_va = 0x7ff69f11ffff entry_point = 0x0 region_type = private name = "private_0x00007ff69f11e000" filename = "" Region: id = 2588 start_va = 0x7ff69ff30000 end_va = 0x7ff69fff5fff entry_point = 0x7ff69ff30000 region_type = mapped_file name = "spoolsv.exe" filename = "\\Windows\\System32\\spoolsv.exe" (normalized: "c:\\windows\\system32\\spoolsv.exe") Region: id = 2589 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2603 start_va = 0x7b0000 end_va = 0x7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 2604 start_va = 0x7c0000 end_va = 0x7c1fff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 2606 start_va = 0x960000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 2607 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2608 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2609 start_va = 0x730000 end_va = 0x73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 2610 start_va = 0x7ff69eff0000 end_va = 0x7ff69f0effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff69eff0000" filename = "" Region: id = 2611 start_va = 0x7d0000 end_va = 0x84dfff entry_point = 0x7d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2612 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2613 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2614 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2615 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2616 start_va = 0x7ff9fbee0000 end_va = 0x7ff9fbf82fff entry_point = 0x7ff9fbee0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2617 start_va = 0x740000 end_va = 0x746fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2618 start_va = 0x7ff9fc820000 end_va = 0x7ff9fc864fff entry_point = 0x7ff9fc820000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2619 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2620 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2621 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2622 start_va = 0x850000 end_va = 0x90ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2623 start_va = 0xa60000 end_va = 0xbe7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 2624 start_va = 0xbf0000 end_va = 0xd70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 2625 start_va = 0x910000 end_va = 0x912fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 2626 start_va = 0x920000 end_va = 0x920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 2627 start_va = 0x930000 end_va = 0x930fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 2628 start_va = 0x940000 end_va = 0x940fff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 2629 start_va = 0xd80000 end_va = 0x117bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 2630 start_va = 0x1180000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 2631 start_va = 0x950000 end_va = 0x956fff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 2636 start_va = 0x1180000 end_va = 0x11bffff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 2637 start_va = 0x11c0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 2638 start_va = 0x12a0000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 2639 start_va = 0x7ff69f11a000 end_va = 0x7ff69f11bfff entry_point = 0x0 region_type = private name = "private_0x00007ff69f11a000" filename = "" Region: id = 2640 start_va = 0x7ff69f11c000 end_va = 0x7ff69f11dfff entry_point = 0x0 region_type = private name = "private_0x00007ff69f11c000" filename = "" Region: id = 2642 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2643 start_va = 0x12b0000 end_va = 0x1367fff entry_point = 0x12b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2644 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2645 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2646 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2647 start_va = 0x12b0000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 2649 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2650 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2651 start_va = 0x1210000 end_va = 0x1210fff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 2652 start_va = 0x1210000 end_va = 0x1210fff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 2653 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2654 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2655 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2656 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2657 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2658 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2659 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2660 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2661 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2662 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2663 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2678 start_va = 0x1210000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 2679 start_va = 0x7ff69f117000 end_va = 0x7ff69f118fff entry_point = 0x0 region_type = private name = "private_0x00007ff69f117000" filename = "" Region: id = 2682 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Thread: id = 263 os_tid = 0x134 Thread: id = 264 os_tid = 0x174 Thread: id = 265 os_tid = 0x16c Thread: id = 266 os_tid = 0x200 Thread: id = 269 os_tid = 0x21c Process: id = "31" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0xb3b1000" os_pid = "0x168" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x2dc" cmd_line = "taskhost.exe " cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\MsKeyboardFilter" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a8e2" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2664 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2665 start_va = 0xddfa110000 end_va = 0xddfa12ffff entry_point = 0x0 region_type = private name = "private_0x000000ddfa110000" filename = "" Region: id = 2666 start_va = 0xddfa130000 end_va = 0xddfa13efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ddfa130000" filename = "" Region: id = 2667 start_va = 0xddfa140000 end_va = 0xddfa1bffff entry_point = 0x0 region_type = private name = "private_0x000000ddfa140000" filename = "" Region: id = 2668 start_va = 0xddfa1c0000 end_va = 0xddfa1c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ddfa1c0000" filename = "" Region: id = 2669 start_va = 0x7ff6802c0000 end_va = 0x7ff6802e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6802c0000" filename = "" Region: id = 2670 start_va = 0x7ff6802ed000 end_va = 0x7ff6802eefff entry_point = 0x0 region_type = private name = "private_0x00007ff6802ed000" filename = "" Region: id = 2671 start_va = 0x7ff6802ef000 end_va = 0x7ff6802effff entry_point = 0x0 region_type = private name = "private_0x00007ff6802ef000" filename = "" Region: id = 2672 start_va = 0x7ff6808f0000 end_va = 0x7ff680904fff entry_point = 0x7ff6808f0000 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 2673 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2676 start_va = 0xddfa1d0000 end_va = 0xddfa1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ddfa1d0000" filename = "" Region: id = 2677 start_va = 0xddfa1e0000 end_va = 0xddfa1e1fff entry_point = 0x0 region_type = private name = "private_0x000000ddfa1e0000" filename = "" Region: id = 2830 start_va = 0xddfa300000 end_va = 0xddfa3fffff entry_point = 0x0 region_type = private name = "private_0x000000ddfa300000" filename = "" Region: id = 2831 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2832 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2833 start_va = 0xddfa110000 end_va = 0xddfa11ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000ddfa110000" filename = "" Region: id = 2834 start_va = 0x7ff6801c0000 end_va = 0x7ff6802bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6801c0000" filename = "" Thread: id = 273 os_tid = 0x1c8 Process: id = "32" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xb9a3000" os_pid = "0x220" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\NcdAutoSetup" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d487" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Region: id = 2688 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2689 start_va = 0x3c6ddd0000 end_va = 0x3c6ddeffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ddd0000" filename = "" Region: id = 2690 start_va = 0x3c6ddf0000 end_va = 0x3c6ddfefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6ddf0000" filename = "" Region: id = 2691 start_va = 0x3c6de00000 end_va = 0x3c6de7ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6de00000" filename = "" Region: id = 2692 start_va = 0x3c6de80000 end_va = 0x3c6de83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6de80000" filename = "" Region: id = 2693 start_va = 0x7ff606aa0000 end_va = 0x7ff606ac2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff606aa0000" filename = "" Region: id = 2694 start_va = 0x7ff606acd000 end_va = 0x7ff606acefff entry_point = 0x0 region_type = private name = "private_0x00007ff606acd000" filename = "" Region: id = 2695 start_va = 0x7ff606acf000 end_va = 0x7ff606acffff entry_point = 0x0 region_type = private name = "private_0x00007ff606acf000" filename = "" Region: id = 2696 start_va = 0x7ff606dc0000 end_va = 0x7ff606dcbfff entry_point = 0x7ff606dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2697 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2698 start_va = 0x3c6de90000 end_va = 0x3c6de90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6de90000" filename = "" Region: id = 2699 start_va = 0x3c6dea0000 end_va = 0x3c6dea1fff entry_point = 0x0 region_type = private name = "private_0x0000003c6dea0000" filename = "" Region: id = 2700 start_va = 0x3c6dfa0000 end_va = 0x3c6e09ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6dfa0000" filename = "" Region: id = 2701 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2702 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2703 start_va = 0x3c6ddd0000 end_va = 0x3c6dddffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6ddd0000" filename = "" Region: id = 2704 start_va = 0x7ff6069a0000 end_va = 0x7ff606a9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6069a0000" filename = "" Region: id = 2705 start_va = 0x3c6deb0000 end_va = 0x3c6df2dfff entry_point = 0x3c6deb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2706 start_va = 0x7ff9fd970000 end_va = 0x7ff9fd9c6fff entry_point = 0x7ff9fd970000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2707 start_va = 0x7ff9fd6d0000 end_va = 0x7ff9fd805fff entry_point = 0x7ff9fd6d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2708 start_va = 0x7ff9fcfb0000 end_va = 0x7ff9fd185fff entry_point = 0x7ff9fcfb0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2709 start_va = 0x7ff9fcec0000 end_va = 0x7ff9fcf66fff entry_point = 0x7ff9fcec0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2710 start_va = 0x3c6e0a0000 end_va = 0x3c6e18ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6e0a0000" filename = "" Region: id = 2711 start_va = 0x3c6dde0000 end_va = 0x3c6dde6fff entry_point = 0x0 region_type = private name = "private_0x0000003c6dde0000" filename = "" Region: id = 2712 start_va = 0x3c6e0a0000 end_va = 0x3c6e157fff entry_point = 0x3c6e0a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2713 start_va = 0x3c6e180000 end_va = 0x3c6e18ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6e180000" filename = "" Region: id = 2714 start_va = 0x7ff9fb740000 end_va = 0x7ff9fb749fff entry_point = 0x7ff9fb740000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2715 start_va = 0x7ff9fc6e0000 end_va = 0x7ff9fc6e9fff entry_point = 0x7ff9fc6e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2716 start_va = 0x3c6df30000 end_va = 0x3c6df36fff entry_point = 0x0 region_type = private name = "private_0x0000003c6df30000" filename = "" Region: id = 2717 start_va = 0x7ff9fc680000 end_va = 0x7ff9fc6dffff entry_point = 0x7ff9fc680000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2718 start_va = 0x7ff9fde70000 end_va = 0x7ff9fdfe0fff entry_point = 0x7ff9fde70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2719 start_va = 0x7ff9fdb80000 end_va = 0x7ff9fdcc4fff entry_point = 0x7ff9fdb80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2720 start_va = 0x3c6e0a0000 end_va = 0x3c6e15ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6e0a0000" filename = "" Region: id = 2721 start_va = 0x3c6e190000 end_va = 0x3c6e317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6e190000" filename = "" Region: id = 2722 start_va = 0x3c6e320000 end_va = 0x3c6e4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6e320000" filename = "" Region: id = 2723 start_va = 0x3c6df40000 end_va = 0x3c6df42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6df40000" filename = "" Region: id = 2724 start_va = 0x3c6df50000 end_va = 0x3c6df50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6df50000" filename = "" Region: id = 2725 start_va = 0x3c6df60000 end_va = 0x3c6df60fff entry_point = 0x0 region_type = private name = "private_0x0000003c6df60000" filename = "" Region: id = 2726 start_va = 0x3c6df70000 end_va = 0x3c6df70fff entry_point = 0x0 region_type = private name = "private_0x0000003c6df70000" filename = "" Region: id = 2727 start_va = 0x3c6e4b0000 end_va = 0x3c6e8abfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6e4b0000" filename = "" Region: id = 2728 start_va = 0x3c6e8b0000 end_va = 0x3c6e92ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6e8b0000" filename = "" Region: id = 2729 start_va = 0x3c6e930000 end_va = 0x3c6e9affff entry_point = 0x0 region_type = private name = "private_0x0000003c6e930000" filename = "" Region: id = 2730 start_va = 0x7ff606ac9000 end_va = 0x7ff606acafff entry_point = 0x0 region_type = private name = "private_0x00007ff606ac9000" filename = "" Region: id = 2731 start_va = 0x7ff606acb000 end_va = 0x7ff606accfff entry_point = 0x0 region_type = private name = "private_0x00007ff606acb000" filename = "" Region: id = 2732 start_va = 0x3c6e9b0000 end_va = 0x3c6ec84fff entry_point = 0x3c6e9b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2737 start_va = 0x7ff9f8220000 end_va = 0x7ff9f82effff entry_point = 0x7ff9f8220000 region_type = mapped_file name = "bfe.dll" filename = "\\Windows\\System32\\BFE.DLL" (normalized: "c:\\windows\\system32\\bfe.dll") Region: id = 2742 start_va = 0x7ff9fbb30000 end_va = 0x7ff9fbb77fff entry_point = 0x7ff9fbb30000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 2743 start_va = 0x7ff9fd250000 end_va = 0x7ff9fd2a7fff entry_point = 0x7ff9fd250000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2744 start_va = 0x7ff9fbee0000 end_va = 0x7ff9fbf82fff entry_point = 0x7ff9fbee0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2745 start_va = 0x7ff9ff470000 end_va = 0x7ff9ff478fff entry_point = 0x7ff9ff470000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2746 start_va = 0x3c6ec90000 end_va = 0x3c6ed0ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ec90000" filename = "" Region: id = 2747 start_va = 0x3c6ed10000 end_va = 0x3c6ed8ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ed10000" filename = "" Region: id = 2748 start_va = 0x7ff606ac7000 end_va = 0x7ff606ac8fff entry_point = 0x0 region_type = private name = "private_0x00007ff606ac7000" filename = "" Region: id = 2749 start_va = 0x3c6df80000 end_va = 0x3c6df86fff entry_point = 0x0 region_type = private name = "private_0x0000003c6df80000" filename = "" Region: id = 2750 start_va = 0x7ff9fc640000 end_va = 0x7ff9fc66afff entry_point = 0x7ff9fc640000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2751 start_va = 0x3c6ed90000 end_va = 0x3c6ee8ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ed90000" filename = "" Region: id = 2752 start_va = 0x7ff9fa450000 end_va = 0x7ff9fa4b6fff entry_point = 0x7ff9fa450000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2753 start_va = 0x7ff9fbab0000 end_va = 0x7ff9fbabdfff entry_point = 0x7ff9fbab0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2755 start_va = 0x3c6ee90000 end_va = 0x3c6ef0ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ee90000" filename = "" Region: id = 2756 start_va = 0x7ff606ac5000 end_va = 0x7ff606ac6fff entry_point = 0x0 region_type = private name = "private_0x00007ff606ac5000" filename = "" Region: id = 2757 start_va = 0x3c6ef10000 end_va = 0x3c6ef8ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ef10000" filename = "" Region: id = 2758 start_va = 0x7ff606ac3000 end_va = 0x7ff606ac4fff entry_point = 0x0 region_type = private name = "private_0x00007ff606ac3000" filename = "" Region: id = 2759 start_va = 0x3c6ef90000 end_va = 0x3c6f00ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ef90000" filename = "" Region: id = 2760 start_va = 0x7ff60699e000 end_va = 0x7ff60699ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60699e000" filename = "" Region: id = 2766 start_va = 0x7ff9f8140000 end_va = 0x7ff9f8218fff entry_point = 0x7ff9f8140000 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 2769 start_va = 0x7ff9fb7a0000 end_va = 0x7ff9fb855fff entry_point = 0x7ff9fb7a0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2770 start_va = 0x7ff9fca50000 end_va = 0x7ff9fca99fff entry_point = 0x7ff9fca50000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2771 start_va = 0x7ff9f8800000 end_va = 0x7ff9f8866fff entry_point = 0x7ff9f8800000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2777 start_va = 0x3c6f010000 end_va = 0x3c6f08ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f010000" filename = "" Region: id = 2778 start_va = 0x7ff60699c000 end_va = 0x7ff60699dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60699c000" filename = "" Region: id = 2779 start_va = 0x3c6f090000 end_va = 0x3c6f10ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f090000" filename = "" Region: id = 2780 start_va = 0x7ff60699a000 end_va = 0x7ff60699bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60699a000" filename = "" Region: id = 2784 start_va = 0x3c6e930000 end_va = 0x3c6e9affff entry_point = 0x0 region_type = private name = "private_0x0000003c6e930000" filename = "" Region: id = 2785 start_va = 0x7ff606ac9000 end_va = 0x7ff606acafff entry_point = 0x0 region_type = private name = "private_0x00007ff606ac9000" filename = "" Region: id = 2786 start_va = 0x3c6f110000 end_va = 0x3c6f18ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f110000" filename = "" Region: id = 2787 start_va = 0x7ff606998000 end_va = 0x7ff606999fff entry_point = 0x0 region_type = private name = "private_0x00007ff606998000" filename = "" Region: id = 2805 start_va = 0x3c6df90000 end_va = 0x3c6df90fff entry_point = 0x0 region_type = private name = "private_0x0000003c6df90000" filename = "" Region: id = 2806 start_va = 0x3c6f190000 end_va = 0x3c6f20ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f190000" filename = "" Region: id = 2807 start_va = 0x7ff606996000 end_va = 0x7ff606997fff entry_point = 0x0 region_type = private name = "private_0x00007ff606996000" filename = "" Region: id = 2809 start_va = 0x3c6f210000 end_va = 0x3c6f28ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f210000" filename = "" Region: id = 2810 start_va = 0x7ff606994000 end_va = 0x7ff606995fff entry_point = 0x0 region_type = private name = "private_0x00007ff606994000" filename = "" Region: id = 2811 start_va = 0x3c6df90000 end_va = 0x3c6df90fff entry_point = 0x0 region_type = private name = "private_0x0000003c6df90000" filename = "" Region: id = 2812 start_va = 0x3c6df90000 end_va = 0x3c6df9ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6df90000" filename = "" Region: id = 2816 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2817 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2818 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2819 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2820 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2821 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2822 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2823 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2824 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2825 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2826 start_va = 0x3c6e160000 end_va = 0x3c6e160fff entry_point = 0x0 region_type = private name = "private_0x0000003c6e160000" filename = "" Region: id = 2827 start_va = 0x3c6f290000 end_va = 0x3c6f30ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f290000" filename = "" Region: id = 2828 start_va = 0x7ff606992000 end_va = 0x7ff606993fff entry_point = 0x0 region_type = private name = "private_0x00007ff606992000" filename = "" Region: id = 2838 start_va = 0x7ff9f80e0000 end_va = 0x7ff9f80e9fff entry_point = 0x7ff9f80e0000 region_type = mapped_file name = "adhapi.dll" filename = "\\Windows\\System32\\adhapi.dll" (normalized: "c:\\windows\\system32\\adhapi.dll") Region: id = 2846 start_va = 0x7ff9fba70000 end_va = 0x7ff9fba92fff entry_point = 0x7ff9fba70000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2847 start_va = 0x7ff9f8890000 end_va = 0x7ff9f88b8fff entry_point = 0x7ff9f8890000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2848 start_va = 0x7ff9f8870000 end_va = 0x7ff9f8879fff entry_point = 0x7ff9f8870000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2849 start_va = 0x7ff9f87d0000 end_va = 0x7ff9f87e3fff entry_point = 0x7ff9f87d0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2850 start_va = 0x7ff9f8740000 end_va = 0x7ff9f8758fff entry_point = 0x7ff9f8740000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2852 start_va = 0x7ff9fc0d0000 end_va = 0x7ff9fc127fff entry_point = 0x7ff9fc0d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2855 start_va = 0x3c6f310000 end_va = 0x3c6f38ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f310000" filename = "" Region: id = 2856 start_va = 0x7ff606990000 end_va = 0x7ff606991fff entry_point = 0x0 region_type = private name = "private_0x00007ff606990000" filename = "" Region: id = 2857 start_va = 0x3c6f390000 end_va = 0x3c6f40ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f390000" filename = "" Region: id = 2858 start_va = 0x3c6f410000 end_va = 0x3c6f48ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f410000" filename = "" Region: id = 2859 start_va = 0x7ff60698c000 end_va = 0x7ff60698dfff entry_point = 0x0 region_type = private name = "private_0x00007ff60698c000" filename = "" Region: id = 2860 start_va = 0x7ff60698e000 end_va = 0x7ff60698ffff entry_point = 0x0 region_type = private name = "private_0x00007ff60698e000" filename = "" Region: id = 2861 start_va = 0x7ff9f80d0000 end_va = 0x7ff9f80d9fff entry_point = 0x7ff9f80d0000 region_type = mapped_file name = "wfapigp.dll" filename = "\\Windows\\System32\\wfapigp.dll" (normalized: "c:\\windows\\system32\\wfapigp.dll") Region: id = 2889 start_va = 0x3c6f490000 end_va = 0x3c6f50ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f490000" filename = "" Region: id = 2890 start_va = 0x7ff60698a000 end_va = 0x7ff60698bfff entry_point = 0x0 region_type = private name = "private_0x00007ff60698a000" filename = "" Region: id = 2891 start_va = 0x3c6f510000 end_va = 0x3c6f59cfff entry_point = 0x3c6f510000 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\System32\\mscms.dll" (normalized: "c:\\windows\\system32\\mscms.dll") Region: id = 2892 start_va = 0x7ff9f7fe0000 end_va = 0x7ff9f800cfff entry_point = 0x7ff9f7fe0000 region_type = mapped_file name = "dps.dll" filename = "\\Windows\\System32\\dps.dll" (normalized: "c:\\windows\\system32\\dps.dll") Region: id = 2898 start_va = 0x3c6e170000 end_va = 0x3c6e170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6e170000" filename = "" Region: id = 2899 start_va = 0x7ff9fd8c0000 end_va = 0x7ff9fd963fff entry_point = 0x7ff9fd8c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2900 start_va = 0x3c6ec90000 end_va = 0x3c6ec90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003c6ec90000" filename = "" Region: id = 2901 start_va = 0x3c6ed00000 end_va = 0x3c6ed0ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6ed00000" filename = "" Region: id = 2902 start_va = 0x7ff9f8c80000 end_va = 0x7ff9f8e1cfff entry_point = 0x7ff9f8c80000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2903 start_va = 0x7ff9fd190000 end_va = 0x7ff9fd246fff entry_point = 0x7ff9fd190000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2904 start_va = 0x3c6f510000 end_va = 0x3c6f688fff entry_point = 0x3c6f510000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2906 start_va = 0x3c6f510000 end_va = 0x3c6f58ffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f510000" filename = "" Region: id = 2907 start_va = 0x3c6f590000 end_va = 0x3c6f70dfff entry_point = 0x3c6f590000 region_type = mapped_file name = "wbengine.exe" filename = "\\Windows\\System32\\wbengine.exe" (normalized: "c:\\windows\\system32\\wbengine.exe") Region: id = 2908 start_va = 0x7ff606988000 end_va = 0x7ff606989fff entry_point = 0x0 region_type = private name = "private_0x00007ff606988000" filename = "" Region: id = 2914 start_va = 0x3c6eca0000 end_va = 0x3c6eca0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6eca0000" filename = "" Region: id = 2915 start_va = 0x3c6eca0000 end_va = 0x3c6eca0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6eca0000" filename = "" Region: id = 2916 start_va = 0x3c6eca0000 end_va = 0x3c6eca7fff entry_point = 0x0 region_type = private name = "private_0x0000003c6eca0000" filename = "" Region: id = 2918 start_va = 0x3c6ecb0000 end_va = 0x3c6ecb0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6ecb0000" filename = "" Region: id = 2919 start_va = 0x3c6ecc0000 end_va = 0x3c6ecc0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6ecc0000" filename = "" Region: id = 2920 start_va = 0x3c6ecd0000 end_va = 0x3c6ecd0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6ecd0000" filename = "" Region: id = 2921 start_va = 0x3c6ece0000 end_va = 0x3c6ece0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6ece0000" filename = "" Region: id = 2922 start_va = 0x3c6ecf0000 end_va = 0x3c6ecf0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6ecf0000" filename = "" Region: id = 2923 start_va = 0x3c6f590000 end_va = 0x3c6f590fff entry_point = 0x0 region_type = private name = "private_0x0000003c6f590000" filename = "" Region: id = 2924 start_va = 0x3c6f5a0000 end_va = 0x3c6f5a0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6f5a0000" filename = "" Region: id = 2925 start_va = 0x3c6f5b0000 end_va = 0x3c6f5b0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6f5b0000" filename = "" Region: id = 2926 start_va = 0x3c6f5c0000 end_va = 0x3c6f5c0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6f5c0000" filename = "" Region: id = 2927 start_va = 0x3c6f5d0000 end_va = 0x3c6f5d0fff entry_point = 0x0 region_type = private name = "private_0x0000003c6f5d0000" filename = "" Region: id = 2928 start_va = 0x3c6f5e0000 end_va = 0x3c6f6dffff entry_point = 0x0 region_type = private name = "private_0x0000003c6f5e0000" filename = "" Region: id = 2937 start_va = 0x7ff9f7e70000 end_va = 0x7ff9f7f53fff entry_point = 0x7ff9f7e70000 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Thread: id = 270 os_tid = 0x228 Thread: id = 271 os_tid = 0x238 Thread: id = 272 os_tid = 0x258 Thread: id = 275 os_tid = 0x25c Thread: id = 276 os_tid = 0x280 Thread: id = 277 os_tid = 0x270 Thread: id = 278 os_tid = 0x2c0 Thread: id = 280 os_tid = 0x320 Thread: id = 281 os_tid = 0x350 Thread: id = 282 os_tid = 0x2e8 Thread: id = 283 os_tid = 0x368 Thread: id = 284 os_tid = 0x36c Thread: id = 287 os_tid = 0x3b8 Thread: id = 288 os_tid = 0x3d0 Thread: id = 289 os_tid = 0x3e8 Thread: id = 292 os_tid = 0xf8 Thread: id = 293 os_tid = 0xdc Thread: id = 294 os_tid = 0x3ec Thread: id = 300 os_tid = 0x410 Thread: id = 304 os_tid = 0x420 Process: id = "33" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0xc25a000" os_pid = "0x374" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x2dc" cmd_line = "taskhost.exe TpmTasks" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT TASK\\Microsoft-Windows-RAC-RacTask" [0xe], "NT TASK\\Microsoft-Windows-IME-SQM data sender" [0xe], "NT TASK\\Microsoft-Windows-WindowsUpdate-AUFirmwareInstall" [0xe], "NT TASK\\Microsoft-Windows-TPM-Tpm-Maintenance" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000e1b1" [0xc0000007], "LOCAL" [0x7] Region: id = 2788 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2789 start_va = 0xd13280000 end_va = 0xd1329ffff entry_point = 0x0 region_type = private name = "private_0x0000000d13280000" filename = "" Region: id = 2790 start_va = 0xd132a0000 end_va = 0xd132aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d132a0000" filename = "" Region: id = 2791 start_va = 0xd132b0000 end_va = 0xd1332ffff entry_point = 0x0 region_type = private name = "private_0x0000000d132b0000" filename = "" Region: id = 2792 start_va = 0xd13330000 end_va = 0xd13333fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d13330000" filename = "" Region: id = 2793 start_va = 0x7ff67fb80000 end_va = 0x7ff67fba2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67fb80000" filename = "" Region: id = 2794 start_va = 0x7ff67fba8000 end_va = 0x7ff67fba8fff entry_point = 0x0 region_type = private name = "private_0x00007ff67fba8000" filename = "" Region: id = 2795 start_va = 0x7ff67fbae000 end_va = 0x7ff67fbaffff entry_point = 0x0 region_type = private name = "private_0x00007ff67fbae000" filename = "" Region: id = 2796 start_va = 0x7ff6808f0000 end_va = 0x7ff680904fff entry_point = 0x7ff6808f0000 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 2797 start_va = 0x7ff9ff500000 end_va = 0x7ff9ff6a9fff entry_point = 0x7ff9ff500000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2798 start_va = 0xd13340000 end_va = 0xd13340fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d13340000" filename = "" Region: id = 2799 start_va = 0xd13350000 end_va = 0xd13351fff entry_point = 0x0 region_type = private name = "private_0x0000000d13350000" filename = "" Region: id = 2835 start_va = 0xd13450000 end_va = 0xd1354ffff entry_point = 0x0 region_type = private name = "private_0x0000000d13450000" filename = "" Region: id = 2836 start_va = 0x7ff9fcd80000 end_va = 0x7ff9fceb9fff entry_point = 0x7ff9fcd80000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2843 start_va = 0x7ff9fc940000 end_va = 0x7ff9fca4ffff entry_point = 0x7ff9fc940000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2844 start_va = 0xd13280000 end_va = 0xd1328ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000d13280000" filename = "" Region: id = 2845 start_va = 0x7ff67fa80000 end_va = 0x7ff67fb7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67fa80000" filename = "" Thread: id = 291 os_tid = 0x3a0